Cyber Resilience

CVE-2023-28434

HighCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 22 March 2023

Published
22 March 2023
Modified
26 February 2026
KEV Added
19 September 2023
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.5209 98.0th percentile
Risk Priority 69 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28434 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Minio Minio. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

MinIO, a multi-cloud object storage framework, contains an authorization bypass vulnerability in versions prior to RELEASE.2023-03-20T20-16-18Z. The flaw lies in the handling of PostPolicyBucket requests, where crafted input can evade metadata bucket-name validation checks and allow object placement into arbitrary buckets. The issue is tracked under CWE-269 and carries a CVSS 3.1 score of 8.8.

An attacker who possesses credentials granting arn:aws:s3:::* permissions and who can reach an instance with Console API access enabled can exploit the weakness to write objects into any bucket on the target deployment. This effectively grants unauthorized write access across the object store without requiring additional privileges beyond the stated policy and API exposure.

The official MinIO advisory and accompanying patches recommend upgrading to RELEASE.2023-03-20T20-16-18Z. As a temporary workaround, operators can enable browser API access while setting MINIO_BROWSER=off to block the affected code path.

The associated EPSS score sits at 0.5209 with no material increase after disclosure.

EU & UK References

Vulnerability details

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires…

more

credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

CWE(s)
KEV Date Added
19 September 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

minio
minio
≤ 2023-03-20t20-16-18z

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access-control decisions on PostPolicyBucket requests so that an authenticated subject cannot write objects into arbitrary buckets despite holding arn:aws:s3:::* rights.

prevent

Requires validation of the bucket-name metadata supplied in the policy POST, blocking the crafted values that bypass the check.

prevent

Limits the breadth of S3 permissions granted to any single identity, reducing the impact of the missing bucket-name enforcement.

References