CVE-2023-28433

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Minio versions prior to RELEASE.2023-03-20T20-16-18Z

Description The issue is related to insufficient access control in Minio, a Multi-Cloud Object Storage framework. Minio fails to filter the `` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.

Recommendations For versions prior to RELEASE.2023-03-20T20-16-18Z, update to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue. At the moment, there are no known workarounds for this issue.

Exploit

Fix

Improper Access Control

Exposure of Resource to Wrong Sphere

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-668CWE-200

Related Identifiers

ALT-PU-2023-1522

ALT-PU-2023-1908

ALT-PU-2023-2074

ALT-PU-2024-17529

BDU:2023-07540

BIT-MINIO-2023-28433

CVE-2023-28433

GHSA-W23Q-4HW3-2PP6

Affected Products

Alt Linux

Minio

Red Os

CVE-2023-28433

Weakness Enumeration

Related Identifiers

Affected Products

References · 18