MinIO Information Disclosure

high Web App Scanning Plugin ID 113870

Synopsis

MinIO Information Disclosure

Description

MinIO is a multi-cloud and open-source object storage framework. When deployed in cluster mode, MinIO versions starting with RELEASE.2021-08-31T05-46-54Z and prior to RELEASE.2023-03_20T20-16-18Z suffer from an information disclosure vulnerability, exposing all environment variables, including sensitive information like MINIO_ROOT_PASSWORD or MINIO_SECRET_KEY.

Solution

Upgrade to MinIO version RELEASE.2023-03_20T20-16-18Z or later.

See Also

https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q

https://min.io/

Plugin Details

Severity: High

ID: 113870

Type: remote

Published: 5/5/2023

Updated: 5/5/2023

Scan Template: basic, full, pci, scan

Risk Information

VPR

Risk Factor: Medium

Score: 5.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2023-28432

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS Score Source: CVE-2023-28432

Vulnerability Information

CPE: cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/20/2023

Vulnerability Publication Date: 3/20/2023

CISA Known Exploited Vulnerability Due Dates: 5/12/2023

Reference Information

CVE: CVE-2023-28432