CVE-2023-28432
Published: 22 March 2023
Summary
CVE-2023-28432 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Minio Minio. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SI-2 (Flaw Remediation).
Deeper analysis
MinIO, a multi-cloud object storage system, contains an information disclosure vulnerability in its cluster or distributed deployments. Between release 2019-12-17T23-16-33Z and prior to 2023-03-20T20-16-18Z, the software returns all environment variables in responses, including the values of MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. The flaw is tracked as CVE-2023-28432 with a CVSS 3.1 score of 7.5 and is classified under CWE-200.
An unauthenticated attacker with network access to an affected MinIO cluster can retrieve the full set of environment variables without any credentials or user interaction. Successful exploitation yields the root credentials, enabling the attacker to access or modify all stored objects and potentially take over the deployment.
The official MinIO advisory and release notes direct all users of distributed deployments to upgrade immediately to RELEASE.2023-03-20T20-16-18Z. GreyNoise telemetry shows active scanning and information-disclosure attempts against the affected versions, while public discussion has highlighted the issue in contexts such as OpenAI’s MinIO usage, underscoring supply-chain exposure for organizations relying on the framework. The associated EPSS score remains elevated near 0.94.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32124
Vulnerability details
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users…
more
are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
- CWE(s)
- KEV Date Added
- 21 April 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor patch (upgrade to RELEASE.2023-03-20T20-16-18Z) that eliminates the code path returning all environment variables including MINIO_SECRET_KEY.
Explicitly calls for monitoring to detect information disclosure of sensitive data such as the environment variables leaked by this MinIO flaw.
Boundary-protection rules can block unauthenticated network access to distributed MinIO instances, limiting exploitability of the unauthenticated disclosure vector.