Armis Vulnerability Intelligence Database

Description Preview

CVE-2023-28434 affects MinIO, a Multi-Cloud Object Storage framework. The vulnerability allows attackers with specific credentials to bypass metadata bucket name checking and put objects into any bucket while processing PostPolicyBucket requests. This security flaw could lead to unauthorized data manipulation across buckets.

Overview

Prior to MinIO RELEASE.2023-03-20T20-16-18Z, an attacker could bypass security controls by crafting specific requests that circumvent the metadata bucket name validation mechanism. To successfully exploit this vulnerability, the attacker would need:

Valid credentials with "arn:aws:s3:::*" permission
Enabled Console API access The vulnerability exists in the PostPolicyBucket processing functionality, which failed to properly validate bucket names in certain scenarios. This could allow malicious actors to place objects in buckets they shouldn't have access to, potentially leading to data integrity issues or information disclosure.

Remediation

To address this vulnerability, organizations should implement one of the following solutions:

Update to MinIO version RELEASE.2023-03-20T20-16-18Z or later, which contains the security patch.
If updating is not immediately possible, apply the following workaround:
- Enable browser API access
- Set MINIO_BROWSER=off in your configuration
Review access controls and permissions to ensure that only trusted users have credentials with "arn:aws:s3:::*" permission.
Monitor logs for any suspicious activity related to PostPolicyBucket operations, particularly from users with broad permissions.

References

MinIO GitHub Security Advisory: https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c
Patch Commit: https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5
Pull Request with Fix: https://github.com/minio/minio/pull/16849

Early Warning

Armis Early Warning customers received an advanced alert on this vulnerability.

Armis Alert Date: Sep 6, 2023
CISA KEV Date: Sep 19, 2023

13days early

Learn More

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

Finance and Insurance
Finance and Insurance
Manufacturing
Manufacturing
Professional, Scientific, & Technical Services
Professional, Scientific, & Technical Services
Public Administration
Public Administration
Accommodation & Food Services
Accommodation & Food Services
Administrative, Support, Waste Management & Remediation Services
Administrative, Support, Waste Management & Remediation Services
Agriculture, Forestry Fishing & Hunting
Agriculture, Forestry Fishing & Hunting
Arts, Entertainment & Recreation
Arts, Entertainment & Recreation
Construction
Construction
Educational Services
Educational Services
Health Care & Social Assistance
Health Care & Social Assistance
Information
Information
Management of Companies & Enterprises
Management of Companies & Enterprises
Mining
Mining
Other Services (except Public Administration)
Other Services (except Public Administration)
Real Estate Rental & Leasing
Real Estate Rental & Leasing
Retail Trade
Retail Trade
Transportation & Warehousing
Transportation & Warehousing
Utilities
Utilities
Wholesale Trade
Wholesale Trade

^{CVE-2023-28434:}MinIO Object Storage Metadata Bucket Name Check Bypass Vulnerability