AbelChe

2 exploits Active since Mar 2023

CVE-2023-28434 NOMISEC HIGH STUB

Minio <RELEASE.2023-03-20T20-16-18Z - Auth Bypass

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

319 stars

CVSS 8.8

View Code

CVE-2023-28432 NOMISEC HIGH SUSPICIOUS

Minio <RELEASE.2023-03-20T20-16-18Z - Info Disclosure

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

1 stars

CVSS 7.5

View Code