CVE-2023-28432

Name of the Vulnerable Software and Affected Versions Minio versions prior to RELEASE.2023-03-20T20-16-18Z Minio version 2022.02.01-alt1 Minio version 2022.12.07-alt1 Minio version 2023.05.18-alt1 Minio version 2023.10.16-alt1 Minio version 2023.03.24-alt1

Description MinIO is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO SECRET KEY and MINIO ROOT PASSWORD, resulting in information disclosure. This impacts all users of distributed deployments. Reports indicate this issue has been exploited in the wild, including a breach at Straumann Group, where sensitive data was exposed through an unsecured MinIO instance. The vulnerability allows attackers to potentially gain access to sensitive credentials. A POST request to the /minio/bootstrap/v1/verify endpoint can reveal these secrets. Approximately 105,895 systems are potentially exposed according to ZoomEye data.

Recommendations Upgrade to RELEASE.2023-03-20T20-16-18Z or later. Upgrade to version 2022.02.01-alt1. Upgrade to version 2022.12.07-alt1. Upgrade to version 2023.05.18-alt1. Upgrade to version 2023.10.16-alt1. Upgrade to version 2023.03.24-alt1.