CVE-2023-28434

Name of the Vulnerable Software and Affected Versions MinIO versions prior to RELEASE.2023-03-20T20-16-18Z

Description MinIO, a Multi-Cloud Object Storage framework, contains a security flaw within the PostPolicyBucket component related to privilege management errors. An attacker with arn:aws:s3:::* permissions and enabled Console API access can exploit this issue by sending specially crafted HTTP requests to bypass metadata bucket name checking and place objects into any bucket. This could potentially lead to privilege escalation. There is no information available regarding the number of affected devices or real-world exploitation of this issue. The vulnerable code resides in minio/cmd/generic-handlers.go within the setRequestValidityHandler function. The PostPolicyBucket component is susceptible to bypass due to improper handling of bucket name validation.

Recommendations Upgrade to RELEASE.2023-03-20T20-16-18Z or later. As a temporary workaround, enable browser API access and turn off MINIO BROWSER=off.