Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2023-28432

Disclosure Date: March 22, 2023 •

CVE-2023-28432 CVSS v3 Base Score: 7.5

Exploited in the Wild

Reported by gwillcox-r7 and 2 more...
View Source Details

Metasploit Module

auxiliary/gather/minio_bootstrap_verify_info_disc

Description

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

3.6

Exploitability Score:

3.9

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector (AV):

Network

Attack Complexity (AC):

Low

Privileges Required (PR):

None

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

None

Availability (A):

None

Vendors

minio

Products

minio

Metasploit Modules

auxiliary/gather/minio_bootstrap_verify_info_disc (https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/minio_bootstrap_verify_info_disc.rb)

Exploited in the Wild

Reported by:

gwillcox-r7 indicated source as News Article or Blog (https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean)

Reported: April 12, 2023 4:57am UTC (1 year ago)

mkienow-r7 indicated sources as

Government or Industry Alert (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
Other: CISA Gov Alert (https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-exploited-vulnerabilities-catalog)

Reported: April 21, 2023 5:23pm UTC (1 year ago)

AttackerKB Worker indicated source as Government or Industry Alert (https://www.cisa.gov/news-events/alerts/2023/04/21/cisa-adds-three-known-exploited-vulnerabilities-catalog)

Reported: November 08, 2024 8:27am UTC (2 weeks ago)

References

Canonical

CVE-2023-28432 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28432)

Exploit

PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.

CVE-2023-28432 (https://github.com/Mr-xn/CVE-2023-28432) (Added by AKB Worker)

CVE-2023-28432 (https://github.com/MzzdToT/CVE-2023-28432) (Added by AKB Worker)

CVE-2023-28432 (https://github.com/gobysec/CVE-2023-28432) (Added by AKB Worker)