QID 730787

Date Published: 2023-04-24

QID 730787: MinIO Information Disclosure Vulnerability

MinIO is a High Performance Object Storage. It is API compatible with the Amazon S3 cloud storage service. It can handle unstructured data such as photos, videos, log files, backups, and container images with a current maximum supported object size of 5TB.

In a distributed deployment of MinIO, there is a vulnerability that results in information disclosure, impacting all users of the deployment. Specifically, MinIO returns all environment variables, including sensitive variables such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, without adequate protection, which can be exploited by malicious actors to gain unauthorized access to the system.

Affected Versions:
MinIO versions from RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z

QID Detection Logic (Unauthenticated):
This QID performs a HTTP POST request to the "/minio/bootstrap/v1/verify" endpoint of a host running a distributed deployment of MinIO, and analyzes the response body to determine if MinIO is returning all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD.

Successful exploitation of this vulnerability may allow an attacker to compromise confidential data of the targeted user.

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5 severity.
    • Solution
    Customers are recommended to upgrade to the latest version of MinIO to remediate this vulnerability.
    Vendor References

    CVEs related to QID 730787

    CVE-2023-28432 |
    Software Advisories
    Advisory ID Software Component Link
    minio Security Advisory URL Logo github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].