MinIO Information Disclosure (CVE-2023-28432)

high Nessus Plugin ID 189513

Synopsis

The remote host contains an application that is affected by an information disclosure vulnerability.

Description

The version of MinIO installed on the remote host is prior to RELEASE.2023-03-20T20-16-18Z. It is, therefore, affected by an information disclosure vulnerability. When deployed in a cluster/in distributed mode MinIO returns all environment variables, including 'MINIO_SECRET_KEY' and 'MINIO_ROOT_PASSWORD', resulting in disclosure of sensitive information.

Solution

Upgrade to MinIO version RELEASE.2023-03-20T20-16-18Z or later, or apply the workaround mentioned in the vendor advisory.

See Also

https://blog.min.io/security-advisory-stackedcves/

https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

Plugin Details

Severity: High

ID: 189513

File Name: minio_CVE-2023-28432.nbin

Version: 1.16

Type: remote

Family: CGI abuses

Published: 1/25/2024

Updated: 10/10/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-28432

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:minio:minio_console, cpe:/a:minio:minio

Required KB Items: installed_sw/MinIO Console

Exploit Available: true

Exploit Ease: Exploits are available

Exploited by Nessus: true

Patch Publication Date: 3/21/2023

Vulnerability Publication Date: 3/20/2023

CISA Known Exploited Vulnerability Due Dates: 5/12/2023

Reference Information

CVE: CVE-2023-28432