CVE-2023-28432 PoC — Minio Information Disclosure in Cluster Deployment

Source

https://github.com/h0ng10/CVE-2023-28432_docker

Associated Vulnerability

Title:Minio Information Disclosure in Cluster Deployment (CVE-2023-28432)
Description:Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

Description

Test environments for CVE-2023-28432, information disclosure in MinIO clusters

Readme

# CVE-2023-28432_docker
Test environments for CVE-2023-28432, information disclosure in MinIO clusters.

The directories provide different versions / configurations for a MinIO cluster:

| Directory                  | Remark                                                                            |
| -------------------------- | --------------------------------------------------------------------------------- |
| leaked-key                 | Vulnerable instance, using the (deprecated) MINIO_ACCESS_KEY environment variable |
| leaked-password            | Vulnerable instance, using the MINIO_ROOT_PASSWORD environment variable.          |
| no-password                | Vulnerable instance, using the default credentials if no password is set          |
| not-vulnerable             | Secure instance                                                                   |
| not-vulnerable-default-pw  | Secure instance, using the default credentials, thus vulnerable                   |

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!