HIGH🚩 CISA KEV⚡ EXPLOIT🇵🇱 Wersja polska

CVE-2023-28434

CVSS 8.8v3.1pub. 2023-03-22upd. 2026-02-26

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Minio

    APP
    Minio
    < 2023-03-20t20-16-18z

CISA KEV — detailsi

Vendori
MinIO
Producti
MinIO
Added to KEVi
September 19, 2023
Remediation deadline (US Federal)i
October 10, 2023(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 10 października 2023
CWE
References

Related vulnerabilities

CVE-2026-33322CRITICAL9.2PL ✓ten sam produkt

MinIO: JWT algorithm confusion umożliwia obejście uwierzytelnienia OIDC

CVE-2026-33419CRITICAL9.1PL ✓ten sam produkt

MinIO AIStor: brute-force danych LDAP przez STS AssumeRoleWithLDAPIdentity

CVE-2020-11012CRITICAL9.3ten sam produkt

MinIO versions before RELEASE.2020-04-23T00-58-49Z have an authentication bypass issue in the MinIO admin API....

CVE-2023-28432HIGH7.5⚠ KEVten sam produkt

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-1...

CVE-2026-40344HIGH8.8ten sam produkt

MinIO is a high-performance object storage system. Starting in RELEASE.2023-05-18T00-05-36Z and prior to RELEA...