CVE-2023-28432

Published Mar 22, 2023

Last updated 4 months ago

Overview

AI description

Automated description summarized from trusted sources.

CVE-2023-28432 is an information disclosure vulnerability found in MinIO, a multi-cloud object storage framework. This flaw specifically impacts MinIO cluster deployments released between December 17, 2019 (RELEASE.2019-12-17T23-16-33Z) and March 20, 2023 (prior to RELEASE.2023-03-20T20-16-18Z). The vulnerability arises because MinIO, in these affected versions, returns all environment variables, including sensitive credentials like `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, through an unauthenticated API endpoint. This exposure of environment variables can allow unauthorized parties to gain access to critical information such as secret keys and passwords. The vulnerable code is located in the `VerifyHandler` function within the `bootstrap-peer-server.go` file of the MinIO source code. Users of distributed deployments are particularly affected. The issue was addressed in MinIO RELEASE.2023-03-20T20-16-18Z and later versions.

Description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Source: security-advisories@github.com
NVD status: Analyzed
Products: minio

Risk scores

CVSS 3.1

Type: Primary
Base score: 7.5
Impact score: 3.6
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity: HIGH

Known exploits

Data from CISA

Vulnerability name: MinIO Information Disclosure Vulnerability
Exploit added on: Apr 21, 2023
Exploit action due: May 12, 2023
Required action: Apply updates per vendor instructions.

Weaknesses

security-advisories@github.com: CWE-200
nvd@nist.gov: NVD-CWE-noinfo

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score: 22

‼️ One of the world's largest oral-care companies, Straumann Group ($20B), has been breached by Bytetobreach via CVE-2023-28432. Nearly all sensitive data was exposed in an unsecured MinIO instance on AWS, including: - Cybersecurity audits and docs 😶 - Customer data - Em
@IntCyberDigest
20 Feb 2026
19665 Impressions
44 Retweets
285 Likes
72 Bookmarks
8 Replies
2 Quotes

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A2A8F3D7-177F-4D52-B4F6-C4AB06AA4A4D",
            "versionEndExcluding": "2023-03-20t20-16-18z",
            "versionStartIncluding": "2019-12-17t23-16-33z"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References

Sources include official advisories and independent security research.