CVE-2023-28434
Published: 22 March 2023
Summary
CVE-2023-28434 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Minio Minio. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
MinIO, a multi-cloud object storage framework, contains an authorization bypass vulnerability in versions prior to RELEASE.2023-03-20T20-16-18Z. The flaw lies in the handling of PostPolicyBucket requests, where crafted input can evade metadata bucket-name validation checks and allow object placement into arbitrary buckets. The issue is tracked under CWE-269 and carries a CVSS 3.1 score of 8.8.
An attacker who possesses credentials granting arn:aws:s3:::* permissions and who can reach an instance with Console API access enabled can exploit the weakness to write objects into any bucket on the target deployment. This effectively grants unauthorized write access across the object store without requiring additional privileges beyond the stated policy and API exposure.
The official MinIO advisory and accompanying patches recommend upgrading to RELEASE.2023-03-20T20-16-18Z. As a temporary workaround, operators can enable browser API access while setting MINIO_BROWSER=off to block the affected code path.
The associated EPSS score sits at 0.5209 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2395
Vulnerability details
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires…
more
credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
- CWE(s)
- KEV Date Added
- 19 September 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access-control decisions on PostPolicyBucket requests so that an authenticated subject cannot write objects into arbitrary buckets despite holding arn:aws:s3:::* rights.
Requires validation of the bucket-name metadata supplied in the policy POST, blocking the crafted values that bypass the check.
Limits the breadth of S3 permissions granted to any single identity, reducing the impact of the missing bucket-name enforcement.