PT-2023-6751 · Minio+2 · Minio+2

Donatello

·

Publicado

2023-03-20

·

Atualizado

2024-12-26

·

CVE-2023-28433

CVSS v2.0

9.0

Alta

VetorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions Minio versions prior to RELEASE.2023-03-20T20-16-18Z
Description The issue is related to insufficient access control in Minio, a Multi-Cloud Object Storage framework. Minio fails to filter the `` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.
Recommendations For versions prior to RELEASE.2023-03-20T20-16-18Z, update to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue. At the moment, there are no known workarounds for this issue.

Exploit

Correção

Improper Access Control

Exposure of Resource to Wrong Sphere

Information Disclosure

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-284CWE-668CWE-200

Identificadores relacionados

ALT-PU-2023-1522
ALT-PU-2023-1908
ALT-PU-2023-2074
ALT-PU-2024-17529
BDU:2023-07540
BIT-MINIO-2023-28433
CVE-2023-28433
GHSA-W23Q-4HW3-2PP6

Produtos afetados

Alt Linux
Minio
Red Os