CVE-2023-28434 Affecting minio package, versions <0.20230413.030807-r0


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

Exploit Maturity
Mature
EPSS
13.32% (96th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-CHAINGUARDLATEST-MINIO-5846723
  • published21 Aug 2023
  • disclosed22 Mar 2023

Introduced: 22 Mar 2023

CVE-2023-28434  (opens in a new tab)

How to fix?

Upgrade Chainguard minio to version 0.20230413.030807-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream minio package and not the minio package as distributed by Chainguard. See How to fix? for Chainguard relevant fixed versions and status.

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.

CVSS Scores

version 3.1