Minio - Information Disclosure (CVE-2023-28432)
- Severity
- CVSSv3 Score
- 7.5
- Vulnerability description
Minio server is vulnerable to CVE-2023-28432, an Information Disclosure vulnerability in the
/minio/bootstrap/v1/verify
endpoint. In a cluster deployment, MinIO returns all environment variables, includingMINIO_SECRET_KEY
andMINIO_ROOT_PASSWORD
, resulting in Information Disclosure.- Risk description
The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.
- Exploit capabilities
Sniper can extract custom artefacts as evidence from the target system.
- Recommendation
Upgrade the Minio to the latest version.
- Codename
- Not available
- Detectable with
- Network Scanner
- Exploitable with Sniper
- Yes
- Vuln date
- Mar 2023
- Published at
- Updated at
- Software Type
- Multi-Cloud Object Storage Framework
- Vendor
- Minio
- Product
- Minio