Headline
CVE-2023-28432: Information Disclosure in Cluster Deployment
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Affected versions
RELEASE.2019-12-17T23-16-33Z
Patched versions
RELEASE.2023-03-20T20-16-18Z
Impact
In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD, resulting in information disclosure.
All users of distributed deployment are impacted. All users are advised to upgrade ASAP.
Patches
commit 3b5dbf90468b874e99253d241d16d175c2454077
Author: Harshavardhana <[email protected]>
Date: Mon Mar 20 01:40:24 2023 -0700
allow bootstrapping to validate internode tokens (#16853)
Workarounds
There are no known workarounds.
References
The vulnerable code:
// minio/cmd/bootstrap-peer-server.go func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, “VerifyHandler”) cfg := getServerSystemCfg() logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg)) }
// minio/cmd/bootstrap-peer-server.go func getServerSystemCfg() ServerSystemConfig { envs := env.List(“MINIO_”) envValues := make(map[string]string, len(envs)) for _, envK := range envs { // skip certain environment variables as part // of the whitelist and could be configured // differently on each nodes, update skipEnvs() // map if there are such environment values if _, ok := skipEnvs[envK]; ok { continue } envValues[envK] = env.Get(envK, “”) } return ServerSystemConfig{ MinioEndpoints: globalEndpoints, MinioEnv: envValues, } }
Related news
Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted
An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control