Minio - Information Disclosure (CVE-2023-28432)

Severity
CVSSv3 Score: 7.5
CVE: CVE-2023-28432

Vulnerability description

Minio server is vulnerable to CVE-2023-28432, an Information Disclosure vulnerability in the /minio/bootstrap/v1/verify endpoint. In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in Information Disclosure.

Risk description

The risk exists that a remote unauthenticated attacker could exploit this vulnerability to read sensitive information from arbitrary files located on the file system of the server.

Exploit capabilities

Sniper can extract custom artefacts as evidence from the target system.

Recommendation

Upgrade the Minio to the latest version.

References

https://nvd.nist.gov/vuln/detail/CVE-2023-28432

https://ubuntu.com/security/CVE-2023-28432

Codename

Detectable with: Network Scanner
Exploitable with Sniper: Yes
Vuln date: Mar 2023
Published at: Apr 2023
Updated at: Apr 2023
Software Type: Multi-Cloud Object Storage Framework
Vendor: Minio
Product: Minio