MinIO Information Disclosure Vulnerability - 20230426004

Overview

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z,

MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure.

All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

What is the vulnerability?

CVE-VE-2023-28432 - CVSS v3 Base Score: 7.5

What is vulnerable?

The vulnerability affects the following products:

• All users of distributed deployment are impacted.

What has been observed?

There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing

Recommendation

The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices: Vendor URL

Additional References

• https://twitter.com/Andrew___Morris/status/1639325397241278464
• https://viz.greynoise.io/tag/minio-information-disclosure-attempt
• https://www.greynoise.io/blog/openai-minio-and-why-you-should-always-use-docker-cli-scan-to-keep-your-supply-chain-clean