Ricterz

**Name of the Vulnerable Software and Affected Versions** Minio versions prior to RELEASE.2023-03-20T20-16-18Z Minio version 2022.02.01-alt1 Minio version 2022.12.07-alt1 Minio version 2023.05.18-alt1 Minio version 2023.10.16-alt1 Minio version 2023.03.24-alt1 **Description** MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO SECRET KEY` and `MINIO ROOT PASSWORD`, resulting in information disclosure. This impacts all users of distributed deployments. Reports indicate this issue has been exploited in the wild, including a breach at Straumann Group, where sensitive data was exposed through an unsecured MinIO instance. The vulnerability allows attackers to potentially gain access to sensitive credentials. A POST request to the `/minio/bootstrap/v1/verify` endpoint can reveal these secrets. Approximately 105,895 systems are potentially exposed according to ZoomEye data. **Recommendations** Upgrade to RELEASE.2023-03-20T20-16-18Z or later. Upgrade to version 2022.02.01-alt1. Upgrade to version 2022.12.07-alt1. Upgrade to version 2023.05.18-alt1. Upgrade to version 2023.10.16-alt1. Upgrade to version 2023.03.24-alt1.

**Name of the Vulnerable Software and Affected Versions** Asset Pipeline Grails Plugin versions prior to 2.14.1.1 Asset Pipeline Grails Plugin versions prior to 2.15.1 Asset Pipeline Grails Plugin versions prior to 3.0.6 **Description** The issue is related to Incorrect Access Control in Applications deployed in Jetty, which can result in the download of .class files and any arbitrary file. This can be exploited via a specially crafted GET request containing directory traversal from the assets-pipeline context. **Recommendations** For versions prior to 2.14.1.1, update to version 2.14.1.1 or later. For versions prior to 2.15.1, update to version 2.15.1 or later. For versions prior to 3.0.6, update to version 3.0.6 or later.

**Name of the Vulnerable Software and Affected Versions** Grails Asset Pipeline plugin versions prior to 3.0.4 **Description** An issue was discovered that allows an attacker to perform directory traversal via a crafted request when a servlet-based application is executed in Jetty. This is due to a classloader vulnerability that can allow a reverse file traversal route in `AssetPipelineFilter.groovy` or `AssetPipelineFilterCore.groovy`. **Recommendations** For Grails Asset Pipeline plugin versions prior to 3.0.4, update to version 3.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the `AssetPipelineFilter.groovy` and `AssetPipelineFilterCore.groovy` files to minimize the risk of exploitation.