CVE-2023-28432

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-28432
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z Release Notes
https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q Vendor Advisory
https://twitter.com/Andrew___Morris/status/1639325397241278464 Third Party Advisory
https://viz.greynoise.io/tag/minio-information-disclosure-attempt Third Party Advisory
https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
History

07 Nov 2023, 04:10

Type Values Removed Values Added
Summary Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

28 Mar 2023, 16:26

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.5
References (MISC) https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z - (MISC) https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z - Release Notes
References (MISC) https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean - (MISC) https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean - Third Party Advisory
References (MISC) https://viz.greynoise.io/tag/minio-information-disclosure-attempt - (MISC) https://viz.greynoise.io/tag/minio-information-disclosure-attempt - Third Party Advisory
References (MISC) https://twitter.com/Andrew___Morris/status/1639325397241278464 - (MISC) https://twitter.com/Andrew___Morris/status/1639325397241278464 - Third Party Advisory
References (MISC) https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q - (MISC) https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q - Vendor Advisory
CPE cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*
First Time Minio minio
Minio
CWE CWE-200 NVD-CWE-noinfo

27 Mar 2023, 01:15

Type Values Removed Values Added
References
  • (MISC) https://twitter.com/Andrew___Morris/status/1639325397241278464 -
  • (MISC) https://viz.greynoise.io/tag/minio-information-disclosure-attempt -
  • (MISC) https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean -

22 Mar 2023, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-03-22 21:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-28432

Mitre link : CVE-2023-28432

CVE.ORG link : CVE-2023-28432

JSON object : View

Products Affected

minio

  • minio
CWE
NVD-CWE-noinfo CWE-200

Exposure of Sensitive Information to an Unauthorized Actor