.. / CVE-2023-28432

Exploit for MinIO Cluster Deployment - Information Disclosure (CVE-2023-28432)

Description:

MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.

Proof of Concept

PoC exploit

Nuclei Template

View the template here CVE-2023-28432.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2023/CVE-2023-28432.yaml
Copy

Try the exploit in a lab environment:

Lab Machine Link
Hack The Box Skyfall Go to Practice

References:

https://github.com/minio/minio/pull/16853/files
https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json
https://github.com/golang/vulndb/issues/1667
https://nvd.nist.gov/vuln/detail/CVE-2023-28432
https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q