Published: 22/03/2023 Updated: 07/11/2023

CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8

VMScore: 0

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

Vulnerable Product	Search on Vulmon	Subscribe to Product
minio minio

EXP for CVE-2023-28434 MinIO unauthorized to RCE

Evil MinIO (CVE-2023-28434) Doc: CVE-2023-28432 minio 接口未授权访问到无损RCE和全局后门pdf EXP for CVE-2023-28434 MinIO unauthorized to RCE Changed from githubcom/minio/minio/tree/8b4d0255b7247b1a06d923e69ed5ba01434e70b8 Changed what? add cmd/xgo, used for exec system command package cmd import ( "os/exec" "runtime" ) func get

This repository automatically updates to showcase trending GitHub repositories.

Trending Repositories reality-ezpz: Install sing-box/xray and configure vless / tuic / hysteria2 for reality or tls (letsencrypt) over different transport protocols (tcp, http, grpc and websocket) with user management capability in CLI, TUI and Telegram bot by a single command in docker compose! ReplitLM: Inference code and configs for the ReplitLM model family goji: goji_ui r

NVD-CWE-noinfo https://github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8c https://github.com/minio/minio/pull/16849 https://github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5 https://nvd.nist.gov https://github.com/AbelChe/evil_minio

CVE-2023-28434

Vulnerability Summary

Vulnerability Trend

Github Repositories

References

Vulmon Search

About

Products

Connect