cvelistv5 - cve-2023-28434

cve-2023-28434

Vulnerability from cvelistv5

Published

2023-03-22 20:44

Modified

2025-01-28 21:18

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

MinIO is vulnerable to privilege escalation on Linux/MacOS

References

URL	Tags
security-advisories@github.com	https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5	Patch
security-advisories@github.com	https://github.com/minio/minio/pull/16849	Exploit, Issue Tracking
security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/pull/16849	Exploit, Issue Tracking
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c	Vendor Advisory

Impacted products

▼	Vendor	Product
	minio	minio

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:38:25.275Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
          },
          {
            "name": "https://github.com/minio/minio/pull/16849",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/pull/16849"
          },
          {
            "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28434",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-28T21:15:57.293847Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2023-09-19",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-28434"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-28T21:18:50.717Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minio",
          "vendor": "minio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c RELEASE.2023-03-20T20-16-18Z"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-269",
              "description": "CWE-269: Improper Privilege Management",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-22T20:44:04.216Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
        },
        {
          "name": "https://github.com/minio/minio/pull/16849",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/pull/16849"
        },
        {
          "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
        }
      ],
      "source": {
        "advisory": "GHSA-2pxw-r47w-4p8c",
        "discovery": "UNKNOWN"
      },
      "title": "MinIO is vulnerable to privilege escalation on Linux/MacOS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28434",
    "datePublished": "2023-03-22T20:44:04.216Z",
    "dateReserved": "2023-03-15T15:59:10.053Z",
    "dateUpdated": "2025-01-28T21:18:50.717Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28434\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-22T21:15:18.427\",\"lastModified\":\"2025-03-10T20:49:43.140\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. \\n\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"cisaExploitAdd\":\"2023-09-19\",\"cisaActionDue\":\"2023-10-10\",\"cisaRequiredAction\":\"Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.\",\"cisaVulnerabilityName\":\"MinIO Security Feature Bypass Vulnerability\",\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-269\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2023-03-20t20-16-18z\",\"matchCriteriaId\":\"63CBB19F-80FF-4D6B-ADF3-7BD9768861D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/pull/16849\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/pull/16849\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}"
  }
}

wid-sec-w-2023-2261

Vulnerability from csaf_certbund

Published

2023-09-04 22:00

Modified

2023-09-04 22:00

Summary

MinIO: Mehrere Schwachstellen ermöglichen Offenlegung von Informationen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MinIO ist ein S3-kompatibler Objektspeicher, der für groß angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er läuft "on-premise" und in jeder Cloud.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MinIO ausnutzen, um Informationen offenzulegen.

Betroffene Betriebssysteme

- Linux - MacOS X - Windows - Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MinIO ist ein S3-kompatibler Objektspeicher, der f\u00fcr gro\u00df angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er l\u00e4uft \"on-premise\" und in jeder Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in MinIO ausnutzen, um Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- MacOS X\n- Windows\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2261 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2261.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2261 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2261"
      },
      {
        "category": "external",
        "summary": "MinIO Security Notification vom 2023-09-04",
        "url": "https://thehackernews.com/2023/09/hackers-exploit-minio-storage-system.html"
      }
    ],
    "source_lang": "en-US",
    "title": "MinIO: Mehrere Schwachstellen erm\u00f6glichen Offenlegung von Informationen",
    "tracking": {
      "current_release_date": "2023-09-04T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:58:02.058+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2261",
      "initial_release_date": "2023-09-04T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-04T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source MinIO \u003c RELEASE.2023-03-20T20-16-18Z",
            "product": {
              "name": "Open Source MinIO \u003c RELEASE.2023-03-20T20-16-18Z",
              "product_id": "T029711",
              "product_identification_helper": {
                "cpe": "cpe:/a:minio:minio:release.2023-03-20t20-16-18z"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-28434",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in MinIO. Dieser Fehler besteht aufgrund einer unsachgem\u00e4\u00dfen Rechteverwaltung und Inkonsequenz zwischen der Pr\u00fcfung f\u00fcr das Routing von Post-Policy-Anforderungen und der Verhinderung des Zugriffs auf reservierte Buckets. Ein Angreifer kann diese Schwachstelle ausnutzen, um Sicherheitsma\u00dfnahmen zu umgehen und seine Privilegien zu erweitern, indem er manipulierte Anfragen verwendet, um die \u00dcberpr\u00fcfung des Metadaten-Bucket-Namens zu umgehen und ein Objekt in einen beliebigen Bucket zu legen, w\u00e4hrend er PostPolicyBucket verarbeitet."
        }
      ],
      "release_date": "2023-09-04T22:00:00.000+00:00",
      "title": "CVE-2023-28434"
    },
    {
      "cve": "CVE-2023-28432",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in MinIO. Dieser Fehler besteht in einem Cluster-Einsatz, da das System alle Umgebungsvariablen zur\u00fcckgibt. Ein Angreifer kann diese Schwachstelle ausnutzen, um vertrauliche Informationen offenzulegen."
        }
      ],
      "release_date": "2023-09-04T22:00:00.000+00:00",
      "title": "CVE-2023-28432"
    }
  ]
}

var-202303-1848

Vulnerability from variot

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1848",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "minio",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "minio",
        "version": "2023-03-20t20-16-18z"
      },
      {
        "model": "minio",
        "scope": null,
        "trust": 0.8,
        "vendor": "minio",
        "version": null
      },
      {
        "model": "minio",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "minio",
        "version": null
      },
      {
        "model": "minio",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "minio",
        "version": "2023-03-20t20-16-18z"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2023-03-20t20-16-18z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "cve": "CVE-2023-28434",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2023-28434",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2023-28434",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "security-advisories@github.com",
            "id": "CVE-2023-28434",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202303-1792",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-28434"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2023-28434",
        "trust": 3.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-28434",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "id": "VAR-202303-1848",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.18899521
  },
  "last_update_date": "2024-06-26T23:18:41.829000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "MinIO Security vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230916"
      },
      {
        "title": "",
        "trust": 0.1,
        "url": "https://github.com/mr-xn/cve-2023-28434 "
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      },
      {
        "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/security/advisories/ghsa-2pxw-r47w-4p8c"
      },
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/pull/16849"
      },
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28434"
      },
      {
        "trust": 0.8,
        "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2023-28434/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/269.html"
      },
      {
        "trust": 0.1,
        "url": "https://github.com/mr-xn/cve-2023-28434"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-03-22T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "date": "2023-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "date": "2023-03-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "date": "2023-03-22T21:15:18.427000",
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-03-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-28434"
      },
      {
        "date": "2023-11-10T04:23:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      },
      {
        "date": "2023-03-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      },
      {
        "date": "2024-06-21T16:12:41.387000",
        "db": "NVD",
        "id": "CVE-2023-28434"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005843"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1792"
      }
    ],
    "trust": 0.6
  }
}

gsd-2023-28434

Vulnerability from gsd

Modified

2023-12-13 01:20

Details

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

Aliases

CVE-2023-28434

Aliases

CVE-2023-28434

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28434",
    "id": "GSD-2023-28434"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28434"
      ],
      "details": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.",
      "id": "GSD-2023-28434",
      "modified": "2023-12-13T01:20:47.288588Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28434",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "minio",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c RELEASE.2023-03-20T20-16-18Z"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "minio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-269",
                "lang": "eng",
                "value": "CWE-269: Improper Privilege Management"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
          },
          {
            "name": "https://github.com/minio/minio/pull/16849",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/pull/16849"
          },
          {
            "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2pxw-r47w-4p8c",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv2023-03-20t20-16-18z",
          "affected_versions": "All versions before 2023-03-20t20-16-18z",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-03-28",
          "description": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.",
          "fixed_versions": [
            "v2023-03-20t20-16-18z"
          ],
          "identifier": "CVE-2023-28434",
          "identifiers": [
            "CVE-2023-28434",
            "GHSA-2pxw-r47w-4p8c"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/minio/minio",
          "pubdate": "2023-03-22",
          "solution": "Upgrade to version 2023-03-20t20-16-18z or above.",
          "title": "Privilege Escalation on Linux/MacOS",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-28434",
            "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
            "https://github.com/minio/minio/pull/16849",
            "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
          ],
          "uuid": "805203cd-db82-41ce-8028-2443cd5d0194",
          "versions": []
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2023-03-20t20-16-18z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28434"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
            },
            {
              "name": "https://github.com/minio/minio/pull/16849",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Issue Tracking"
              ],
              "url": "https://github.com/minio/minio/pull/16849"
            },
            {
              "name": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-28T16:24Z",
      "publishedDate": "2023-03-22T21:15Z"
    }
  }
}

ghsa-2pxw-r47w-4p8c

Vulnerability from github

Published

2023-09-05 15:45

Modified

2023-09-05 15:45

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Privilege Escalation on Linux/MacOS

Details

Impact

An attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access.

Patches

``` commit 67f4ba154a27a1b06e48bfabda38355a010dfca5 Author: Aditya Manthramurthy donatello@users.noreply.github.com Date: Sun Mar 19 21:15:20 2023 -0700

fix: post policy request security bypass (#16849)

```

Workarounds

Browser API access must be enabled turning off MINIO_BROWSER=off allows for this workaround.

References

The vulnerable code: go // minio/cmd/generic-handlers.go func setRequestValidityHandler(h http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // ... // For all other requests reject access to reserved buckets bucketName, _ := request2BucketObjectName(r) if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) { if !guessIsRPCReq(r) && !guessIsBrowserReq(r) && !guessIsHealthCheckReq(r) && !guessIsMetricsReq(r) && !isAdminReq(r) && !isKMSReq(r) { if ok { tc.FuncName = "handler.ValidRequest" tc.ResponseRecorder.LogErrBody = true } writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL) return } } // ...

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-202303200415"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-05T15:45:10Z",
    "nvd_published_at": "2023-03-22T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.\n\n### Patches\n```\ncommit 67f4ba154a27a1b06e48bfabda38355a010dfca5\nAuthor: Aditya Manthramurthy \u003cdonatello@users.noreply.github.com\u003e\nDate:   Sun Mar 19 21:15:20 2023 -0700\n\n    fix: post policy request security bypass (#16849)\n```\n\n### Workarounds\nBrowser API access must be enabled turning off `MINIO_BROWSER=off` allows for this workaround.\n\n### References\nThe vulnerable code:\n```go\n// minio/cmd/generic-handlers.go\nfunc setRequestValidityHandler(h http.Handler) http.Handler {\n  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n    // ...\n    // For all other requests reject access to reserved buckets\n    bucketName, _ := request2BucketObjectName(r)\n    if isMinioReservedBucket(bucketName) || isMinioMetaBucket(bucketName) {\n      if !guessIsRPCReq(r) \u0026\u0026 !guessIsBrowserReq(r) \u0026\u0026 !guessIsHealthCheckReq(r) \u0026\u0026 !guessIsMetricsReq(r) \u0026\u0026 !isAdminReq(r) \u0026\u0026 !isKMSReq(r) {\n        if ok {\n          tc.FuncName = \"handler.ValidRequest\"\n          tc.ResponseRecorder.LogErrBody = true\n        }\n        writeErrorResponse(r.Context(), w, errorCodes.ToAPIErr(ErrAllAccessDisabled), r.URL)\n        return\n      }\n    }\n    // ...\n```",
  "id": "GHSA-2pxw-r47w-4p8c",
  "modified": "2023-09-05T15:45:10Z",
  "published": "2023-09-05T15:45:10Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28434"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/pull/16849"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Privilege Escalation on Linux/MacOS"
}

Action not permitted

cve-2023-28434

Vulnerability from cvelistv5

wid-sec-w-2023-2261

Vulnerability from csaf_certbund

var-202303-1848

Vulnerability from variot

gsd-2023-28434

Vulnerability from gsd

ghsa-2pxw-r47w-4p8c

Vulnerability from github

Impact

Patches

Workarounds

References

Tags