MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.
View the template here CVE-2023-28432.yaml
Lab | Machine | Link |
---|---|---|
Hack The Box | Skyfall | Go to Practice |
References:
https://github.com/minio/minio/pull/16853/files