Ubuntu.comUB:CVE-2023-28434CVE-2023-28434
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.039 Low
EPSS
Percentile
91.9%
Minio is a Multi-Cloud Object Storage framework. Prior to
RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to
bypass metadata bucket name checking and put an object into any bucket
while processing PostPolicyBucket. To carry out this attack, the attacker
requires credentials with arn:aws:s3:::* permission, as well as enabled
Console API access. This issue has been patched in
RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access
and turn off MINIO_BROWSER=off.
References
github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
github.com/minio/minio/pull/16849
github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
launchpad.net/bugs/cve/CVE-2023-28434
nvd.nist.gov/vuln/detail/CVE-2023-28434
security-tracker.debian.org/tracker/CVE-2023-28434
www.cve.org/CVERecord?id=CVE-2023-28434
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.039 Low
EPSS
Percentile
91.9%