CVE-2023-28434: Privilege Escalation on Linux/MacOS

March 22, 2023 (updated November 7, 2023)

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.

References

github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
github.com/minio/minio/pull/16849
github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
nvd.nist.gov/vuln/detail/CVE-2023-28434

Code Behaviors & Features

Detect and mitigate CVE-2023-28434 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →