Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-28432: Information Disclosure in Cluster Deployment

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

CVE
#js#auth#sap

Affected versions

RELEASE.2019-12-17T23-16-33Z

Patched versions

RELEASE.2023-03-20T20-16-18Z

Impact

In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD, resulting in information disclosure.

All users of distributed deployment are impacted. All users are advised to upgrade ASAP.

Patches

commit 3b5dbf90468b874e99253d241d16d175c2454077
Author: Harshavardhana <[email protected]>
Date:   Mon Mar 20 01:40:24 2023 -0700

    allow bootstrapping to validate internode tokens (#16853)

Workarounds

There are no known workarounds.

References

The vulnerable code:

// minio/cmd/bootstrap-peer-server.go func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, “VerifyHandler”) cfg := getServerSystemCfg() logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg)) }

// minio/cmd/bootstrap-peer-server.go func getServerSystemCfg() ServerSystemConfig { envs := env.List(“MINIO_”) envValues := make(map[string]string, len(envs)) for _, envK := range envs { // skip certain environment variables as part // of the whitelist and could be configured // differently on each nodes, update skipEnvs() // map if there are such environment values if _, ok := skipEnvs[envK]; ok { continue } envValues[envK] = env.Get(envK, “”) } return ServerSystemConfig{ MinioEndpoints: globalEndpoints, MinioEnv: envValues, } }

Related news

Trend Micro Releases Urgent Fix for Actively Exploited Critical Security Vulnerability

Cybersecurity company Trend Micro has released patches and hotfixes to address a critical security flaw in Apex One and Worry-Free Business Security solutions for Windows that has been actively exploited in real-world attacks. Tracked as CVE-2023-41179 (CVSS score: 9.1), it relates to a third-party antivirus uninstaller module that's bundled along with the software. The complete list of impacted

Hackers Exploit MinIO Storage System Vulnerabilities to Compromise Servers

An unknown threat actor has been observed weaponizing high-severity security flaws in the MinIO high-performance object storage system to achieve unauthorized code execution on affected servers. Cybersecurity and incident response firm Security Joes said the intrusion leveraged a publicly available exploit chain to backdoor the MinIO instance. The comprises CVE-2023-28432 (CVSS score: 7.5) and

CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The three vulnerabilities are as follows - CVE-2023-28432 (CVSS score - 7.5) - MinIO Information Disclosure Vulnerability  CVE-2023-27350 (CVSS score - 9.8) - PaperCut MF/NG Improper Access Control

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907