cvelistv5 - cve-2023-28433

CVE-2023-28433 (GCVE-0-2023-28433)

Vulnerability from cvelistv5 – Published: 2023-03-22 20:33 – Updated: 2025-02-25 14:51

Summary

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-668 - Exposure of Resource to Wrong Sphere

Assigner

GitHub_M

References

URL

Tags

	https://github.com/minio/minio/security/advisorie…	x_refsource_CONFIRM
	https://github.com/minio/minio/commit/8d6558b2364…	x_refsource_MISC
	https://github.com/minio/minio/commit/b3c54ec81e0…	x_refsource_MISC
	https://github.com/minio/minio/releases/tag/RELEA…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	minio	minio	Affected: < RELEASE.2023-03-20T20-16-18Z

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T12:38:25.491Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
          },
          {
            "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
          },
          {
            "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
          },
          {
            "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-28433",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-25T14:29:09.291844Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-25T14:51:18.769Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minio",
          "vendor": "minio",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c RELEASE.2023-03-20T20-16-18Z"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-668",
              "description": "CWE-668: Exposure of Resource to Wrong Sphere",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-03-22T20:33:43.452Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
        },
        {
          "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
        },
        {
          "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
        },
        {
          "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
        }
      ],
      "source": {
        "advisory": "GHSA-w23q-4hw3-2pp6",
        "discovery": "UNKNOWN"
      },
      "title": "Minio Privilege Escalation on Windows via Path separator manipulation"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2023-28433",
    "datePublished": "2023-03-22T20:33:43.452Z",
    "dateReserved": "2023-03-15T15:59:10.052Z",
    "dateUpdated": "2025-02-25T14:51:18.769Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2023-03-20t20-16-18z\", \"matchCriteriaId\": \"63CBB19F-80FF-4D6B-ADF3-7BD9768861D0\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.\"}]",
      "id": "CVE-2023-28433",
      "lastModified": "2024-11-21T07:55:03.410",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}]}",
      "published": "2023-03-22T21:15:18.340",
      "references": "[{\"url\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\"]}, {\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-668\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-28433\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2023-03-22T21:15:18.340\",\"lastModified\":\"2024-11-21T07:55:03.410\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2023-03-20t20-16-18z\",\"matchCriteriaId\":\"63CBB19F-80FF-4D6B-ADF3-7BD9768861D0\"}]}]}],\"references\":[{\"url\":\"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"name\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"name\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"name\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T12:38:25.491Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-28433\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-02-25T14:29:09.291844Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-02-25T14:29:11.274Z\"}}], \"cna\": {\"title\": \"Minio Privilege Escalation on Windows via Path separator manipulation\", \"source\": {\"advisory\": \"GHSA-w23q-4hw3-2pp6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"minio\", \"product\": \"minio\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c RELEASE.2023-03-20T20-16-18Z\"}]}], \"references\": [{\"url\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"name\": \"https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"name\": \"https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"name\": \"https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"name\": \"https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-668\", \"description\": \"CWE-668: Exposure of Resource to Wrong Sphere\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2023-03-22T20:33:43.452Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-28433\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-25T14:51:18.769Z\", \"dateReserved\": \"2023-03-15T15:59:10.052Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2023-03-22T20:33:43.452Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

FKIE_CVE-2023-28433

Vulnerability from fkie_nvd - Published: 2023-03-22 21:15 - Updated: 2024-11-21 07:55

Severity ?

8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8	Patch
security-advisories@github.com	https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc	Patch
security-advisories@github.com	https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z	Release Notes
security-advisories@github.com	https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z	Release Notes
af854a3a-2127-422b-91ae-364da2661108	https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6	Vendor Advisory

Impacted products

	Vendor	Product	Version
	minio	minio	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "63CBB19F-80FF-4D6B-ADF3-7BD9768861D0",
              "versionEndExcluding": "2023-03-20t20-16-18z",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds."
    }
  ],
  "id": "CVE-2023-28433",
  "lastModified": "2024-11-21T07:55:03.410",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-03-22T21:15:18.340",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

VAR-202303-1729

Vulnerability from variot - Updated: 2023-12-18 13:41

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-202303-1729",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "minio",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "minio",
        "version": "2023-03-20t20-16-18z"
      },
      {
        "model": "minio",
        "scope": null,
        "trust": 0.8,
        "vendor": "minio",
        "version": null
      },
      {
        "model": "minio",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "minio",
        "version": null
      },
      {
        "model": "minio",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "minio",
        "version": "2023-03-20t20-16-18z"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2023-03-20t20-16-18z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      }
    ]
  },
  "cve": "CVE-2023-28433",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "exploitabilityScore": 2.8,
            "impactScore": 5.9,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "trust": 2.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 8.8,
            "baseSeverity": "High",
            "confidentialityImpact": "High",
            "exploitabilityScore": null,
            "id": "CVE-2023-28433",
            "impactScore": null,
            "integrityImpact": "High",
            "privilegesRequired": "Low",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2023-28433",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "security-advisories@github.com",
            "id": "CVE-2023-28433",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-202303-1793",
            "trust": 0.6,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds. Minio Inc. of Minio Exists in unspecified vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-28433"
      }
    ],
    "trust": 1.71
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2023-28433",
        "trust": 3.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842",
        "trust": 0.8
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2023-28433",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28433"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "id": "VAR-202303-1729",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.18899521
  },
  "last_update_date": "2023-12-18T13:41:34.735000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "MinIO Security vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqbyid.tag?id=230917"
      }
    ],
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      },
      {
        "problemtype": "Lack of information (CWE-noinfo) [NVD evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
      },
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/security/advisories/ghsa-w23q-4hw3-2pp6"
      },
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
      },
      {
        "trust": 2.5,
        "url": "https://github.com/minio/minio/releases/tag/release.2023-03-20t20-16-18z"
      },
      {
        "trust": 0.8,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2023-28433"
      },
      {
        "trust": 0.6,
        "url": "https://cxsecurity.com/cveshow/cve-2023-28433/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/668.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28433"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULMON",
        "id": "CVE-2023-28433"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-03-22T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-28433"
      },
      {
        "date": "2023-11-10T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "date": "2023-03-22T21:15:18.340000",
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "date": "2023-03-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2023-03-23T00:00:00",
        "db": "VULMON",
        "id": "CVE-2023-28433"
      },
      {
        "date": "2023-11-10T04:23:00",
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      },
      {
        "date": "2023-03-28T16:25:36.637000",
        "db": "NVD",
        "id": "CVE-2023-28433"
      },
      {
        "date": "2023-03-29T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Minio\u00a0Inc.\u00a0 of \u00a0Minio\u00a0 Vulnerability in",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2023-005842"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-202303-1793"
      }
    ],
    "trust": 0.6
  }
}

GSD-2023-28433

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2023-28433

Aliases

CVE-2023-28433

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-28433",
    "id": "GSD-2023-28433"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2023-28433"
      ],
      "details": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.",
      "id": "GSD-2023-28433",
      "modified": "2023-12-13T01:20:47.372671Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2023-28433",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "minio",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "\u003c RELEASE.2023-03-20T20-16-18Z"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "minio"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-668",
                "lang": "eng",
                "value": "CWE-668: Exposure of Resource to Wrong Sphere"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
          },
          {
            "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
          },
          {
            "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
          },
          {
            "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
            "refsource": "MISC",
            "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-w23q-4hw3-2pp6",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv2023-03-20t20-16-18z",
          "affected_versions": "All versions before 2023-03-20t20-16-18z",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-03-28",
          "description": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.",
          "fixed_versions": [
            "v2023-03-20t20-16-18z"
          ],
          "identifier": "CVE-2023-28433",
          "identifiers": [
            "CVE-2023-28433",
            "GHSA-w23q-4hw3-2pp6"
          ],
          "not_impacted": "",
          "package_slug": "go/github.com/minio/minio",
          "pubdate": "2023-03-22",
          "solution": "Upgrade to version 2023-03-20t20-16-18z or above.",
          "title": "Privilege Escalation on Windows via Path separator manipulation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-28433",
            "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
            "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
            "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
            "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
          ],
          "uuid": "7213b7f8-0cbc-47b2-aa16-3a79a28df09c",
          "versions": []
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2023-03-20t20-16-18z",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2023-28433"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
            },
            {
              "name": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6",
              "refsource": "MISC",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
            },
            {
              "name": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
            },
            {
              "name": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z",
              "refsource": "MISC",
              "tags": [
                "Release Notes"
              ],
              "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2023-03-28T16:25Z",
      "publishedDate": "2023-03-22T21:15Z"
    }
  }
}

GHSA-W23Q-4HW3-2PP6

Vulnerability from github – Published: 2023-09-06 18:43 – Updated: 2023-09-06 18:43

Summary

Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation

Details

Impact

All users on Windows are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user.

Patches

There are two patches that fix this problem comprehensively

commit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc
Author: Harshavardhana <harsha@minio.io>
Date:   Mon Mar 20 13:16:00 2023 -0700

    reject object names with '\' on windows (#16856)

commit 8d6558b23649f613414c8527b58973fbdfa4d1b8
Author: Harshavardhana <harsha@minio.io>
Date:   Mon Mar 20 00:35:25 2023 -0700

    fix: convert '\' to '/' on windows (#16852)

Workarounds

There are no known workarounds

References

The vulnerable code:

// minio/cmd/generic-handlers.go
// Check if the incoming path has bad path components,
// such as ".." and "."
// SlashSeparator -> /
// dotdotComponent -> ..
// dotComponent -> .
func hasBadPathComponent(path string) bool {
  path = strings.TrimSpace(path)
  for _, p := range strings.Split(path, SlashSeparator) {
    switch strings.TrimSpace(p) {
    case dotdotComponent:
      return true
    case dotComponent:
      return true
    }
  }
  return false
}

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/minio/minio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.0-202303200735"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-28433"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-668"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-06T18:43:13Z",
    "nvd_published_at": "2023-03-22T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAll users on Windows are impacted. MinIO fails to filter the `\\` character, which allows for arbitrary object placement across\nbuckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user.\n\n### Patches\nThere are two patches that fix this problem comprehensively\n\n```\ncommit b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc\nAuthor: Harshavardhana \u003charsha@minio.io\u003e\nDate:   Mon Mar 20 13:16:00 2023 -0700\n\n    reject object names with \u0027\\\u0027 on windows (#16856)\n```\n\n```\ncommit 8d6558b23649f613414c8527b58973fbdfa4d1b8\nAuthor: Harshavardhana \u003charsha@minio.io\u003e\nDate:   Mon Mar 20 00:35:25 2023 -0700\n\n    fix: convert \u0027\\\u0027 to \u0027/\u0027 on windows (#16852)\n```\n\n### Workarounds\nThere are no known workarounds\n\n### References\nThe vulnerable code:\n```go\n// minio/cmd/generic-handlers.go\n// Check if the incoming path has bad path components,\n// such as \"..\" and \".\"\n// SlashSeparator -\u003e /\n// dotdotComponent -\u003e ..\n// dotComponent -\u003e .\nfunc hasBadPathComponent(path string) bool {\n  path = strings.TrimSpace(path)\n  for _, p := range strings.Split(path, SlashSeparator) {\n    switch strings.TrimSpace(p) {\n    case dotdotComponent:\n      return true\n    case dotComponent:\n      return true\n    }\n  }\n  return false\n}\n```\n",
  "id": "GHSA-w23q-4hw3-2pp6",
  "modified": "2023-09-06T18:43:13Z",
  "published": "2023-09-06T18:43:13Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28433"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/minio/minio"
    },
    {
      "type": "WEB",
      "url": "https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Minio vulnerable to Privilege Escalation on Windows via Path separator manipulation"
}

WID-SEC-W-2023-2282

Vulnerability from csaf_certbund - Published: 2023-09-06 22:00 - Updated: 2023-09-06 22:00

Summary

MinIO: Schwachstelle ermöglicht Privilegieneskalation

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

MinIO ist ein S3-kompatibler Objektspeicher, der für groß angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er läuft "on-premise" und in jeder Cloud.

Angriff

Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MinIO ausnutzen, um seine Privilegien zu erhöhen.

Betroffene Betriebssysteme

- Windows

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "MinIO ist ein S3-kompatibler Objektspeicher, der f\u00fcr gro\u00df angelegte KI/ML-, Data Lake- und Datenbank-Workloads entwickelt wurde. Er l\u00e4uft \"on-premise\" und in jeder Cloud.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in MinIO ausnutzen, um seine Privilegien zu erh\u00f6hen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Windows",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2023-2282 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2023/wid-sec-w-2023-2282.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2023-2282 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-2282"
      },
      {
        "category": "external",
        "summary": "GitHub Advisory Database vom 2023-09-06",
        "url": "https://github.com/advisories/GHSA-w23q-4hw3-2pp6"
      }
    ],
    "source_lang": "en-US",
    "title": "MinIO: Schwachstelle erm\u00f6glicht Privilegieneskalation",
    "tracking": {
      "current_release_date": "2023-09-06T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T17:58:07.743+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2023-2282",
      "initial_release_date": "2023-09-06T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2023-09-06T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Open Source MinIO \u003c 2023-03-20T20-16-18Z",
            "product": {
              "name": "Open Source MinIO \u003c 2023-03-20T20-16-18Z",
              "product_id": "1367019",
              "product_identification_helper": {
                "cpe": "cpe:/a:minio:minio:2023-03-20t20-16-18z"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-28433",
      "notes": [
        {
          "category": "description",
          "text": "Es existiert eine Schwachstelle in MinIO. Das \\-Zeichen wird nicht sachgem\u00e4\u00df gefiltert, was eine willk\u00fcrliche Objektplatzierung \u00fcber Buckets hinweg erm\u00f6glicht. Ein authentisierter Angreifer kann diese Schwachstelle ausnutzen, um einen Admin-Benutzer erstellen und so seine Rechte zu erweitern."
        }
      ],
      "release_date": "2023-09-06T22:00:00.000+00:00",
      "title": "CVE-2023-28433"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-28433 (GCVE-0-2023-28433)

FKIE_CVE-2023-28433

VAR-202303-1729

GSD-2023-28433

GHSA-W23Q-4HW3-2PP6

Impact

Patches

Workarounds

References

WID-SEC-W-2023-2282

Tags

Sightings

Nomenclature