CVE-2023-28432— Minio Information Disclosure in Cluster Deployment
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2023-28432
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Minio Information Disclosure in Cluster Deployment
Source: NVD (National Vulnerability Database)
Vulnerability Description
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
MinIO 信息泄露漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
MinIO是美国MinIO公司的一款开源的对象存储服务器。该产品支持构建用于机器学习、分析和应用程序数据工作负载的基础架构。 MinIO 存在信息泄露漏洞,该漏洞源于在集群部署中MinIO会返回所有环境变量,导致信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Shenlong Deep Dive — AI Deep Analysis
10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.
Affected Products
II. Public POCs for CVE-2023-28432
| # | POC Description | Source Link | Shenlong Link |
|---|---|---|---|
| 1 | CVE-2023-28434 nuclei templates | https://github.com/Mr-xn/CVE-2023-28432 | POC Details |
| 2 | MiniO verify interface sensitive information disclosure vulnerability (CVE-2023-28432) | https://github.com/gobysec/CVE-2023-28432 | POC Details |
| 3 | CVE-2023-28432,minio未授权访问检测工具 | https://github.com/Okaytc/minio_unauth_check | POC Details |
| 4 | MinIO敏感信息泄露漏洞批量扫描poc&exp | https://github.com/MzzdToT/CVE-2023-28432 | POC Details |
| 5 | CVE-2023-28432 POC | https://github.com/acheiii/CVE-2023-28432 | POC Details |
| 6 | 通过vulhub的复现过程实现了,基本的批量检测。比较垃圾但是勉强能用 | https://github.com/steponeerror/Cve-2023-28432- | POC Details |
| 7 | CVE-2023-28432 MinIO敏感信息泄露检测脚本 | https://github.com/Cuerz/CVE-2023-28432 | POC Details |
| 8 | minio敏感信息泄露 | https://github.com/Majus527/MinIO_CVE-2023-28432 | POC Details |
| 9 | None | https://github.com/LHXHL/Minio-CVE-2023-28432 | POC Details |
| 10 | Test environments for CVE-2023-28432, information disclosure in MinIO clusters | https://github.com/h0ng10/CVE-2023-28432_docker | POC Details |
| 11 | None | https://github.com/CHINA-china/MinIO_CVE-2023-28432_EXP | POC Details |
| 12 | MinIO Information Disclosure Vulnerability scanner by metasploit | https://github.com/TaroballzChen/CVE-2023-28432-metasploit-scanner | POC Details |
| 13 | CVE-2023-28432检测工具 | https://github.com/bingtangbanli/CVE-2023-28432 | POC Details |
| 14 | Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables. | https://github.com/Chocapikk/CVE-2023-28432 | POC Details |
| 15 | None | https://github.com/yTxZx/CVE-2023-28432 | POC Details |
| 16 | https://github.com/AbelChe/evil_minio/tree/main 打包留存 | https://github.com/Fw-fW-fw/CVE-2023-28432-minio_update_rce | POC Details |
| 17 | https://github.com/AbelChe/evil_minio/tree/main 打包留存 | https://github.com/unam4/CVE-2023-28432-minio_update_rce | POC Details |
| 18 | CVE-2023-28432 Minio Information isclosure Exploit | https://github.com/C1ph3rX13/CVE-2023-28432 | POC Details |
| 19 | None | https://github.com/netuseradministrator/CVE-2023-28432 | POC Details |
| 20 | minio系统存在信息泄露漏洞,未经身份认证的远程攻击,通过发送特殊POST请求到/minio/bootstrap/v1/verify即可获取所有敏感信息,其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,可能导致管理员账号密码泄露。 | https://github.com/xk-mt/CVE-2023-28432 | POC Details |
| 21 | MinIO vulnerability exploit - CVE-2023-28432 | https://github.com/0xRulez/CVE-2023-28432 | POC Details |
| 22 | PoC for CVE-2023-28432 | https://github.com/fhAnso/CVE-2023-28432 | POC Details |
| 23 | MinIO vulnerability exploit - CVE-2023-28432 | https://github.com/BitWiz4rd/CVE-2023-28432 | POC Details |
| 24 | CVE-2023-28432检测工具 | https://github.com/NET-Flowers/CVE-2023-28432 | POC Details |
| 25 | MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted. | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-28432.yaml | POC Details |
| 26 | None | https://github.com/Threekiii/Awesome-POC/blob/master/Web%E5%BA%94%E7%94%A8%E6%BC%8F%E6%B4%9E/MinIO%20%E9%9B%86%E7%BE%A4%E6%A8%A1%E5%BC%8F%E4%BF%A1%E6%81%AF%E6%B3%84%E9%9C%B2%E6%BC%8F%E6%B4%9E%20CVE-2023-28432.md | POC Details |
| 27 | https://github.com/vulhub/vulhub/blob/master/minio/CVE-2023-28432/README.md | POC Details |
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2023-28432
请登录查看更多情报信息。
- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3qx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2023-28432
Same Patch Batch · minio · 2023-03-22 · 3 CVEs total
| CVE-2023-28433 | 8.8 HIGH | Minio Privilege Escalation on Windows via Path separator manipulation |
| CVE-2023-28434 | 8.8 HIGH | MinIO is vulnerable to privilege escalation on Linux/MacOS |
IV. Related Vulnerabilities
Same product: minio
- CVE-2026-41145
MinIO has an Unauthenticated Object Write via Query-String C - CVE-2026-40344
MinIO has an Unauthenticated Object Write via Missing Signat - CVE-2026-39414
MinIO affected a DoS via Unbounded Memory Allocation in S3 S - CVE-2026-34204
MinIO is Vulnerable to SSE Metadata Injection via Replicatio - CVE-2026-33419
MinIO: LDAP login brute-force via user enumeration and missi
Same vendor: minio
- CVE-2026-41145
MinIO has an Unauthenticated Object Write via Query-String C - CVE-2026-40344
MinIO has an Unauthenticated Object Write via Missing Signat - CVE-2026-39414
MinIO affected a DoS via Unbounded Memory Allocation in S3 S - CVE-2026-34204
MinIO is Vulnerable to SSE Metadata Injection via Replicatio - CVE-2026-33419
MinIO: LDAP login brute-force via user enumeration and missi
Same weakness: CWE-200
- CVE-2026-42333
quarkus-openapi-generator has overly broad path-parameter ma - CVE-2026-8198
Activity Logs, User Activity Tracking, Multisite Activity Lo - CVE-2026-42456
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (ID - CVE-2026-41520
Cillium exposes sensitive information included in the cilium - CVE-2026-25199
Apache CloudStack: Proxmox Extension Allows Unauthorized Cro
V. Comments for CVE-2023-28432
No comments yet