Vulnerability detail
Enriched intelligence for a single CVE
High
CVE-2023-28434
PUBLISHEDMinIO is vulnerable to privilege escalation on Linux/MacOS
- Vendor
- minio
- Product
- minio
- Published
- Mar 22, 2023
- EPSS
- —
Description
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.
CVSS scores
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitation status
Exploited in the wild
Recorded 2023-09-19 00:00:00 UTC · Source
SSVC decision points
- Exploitation
- active
- Automatable
- No
- Technical impact
- total
Known exploited vulnerability sources
Catalogues that list this CVE as a known exploited vulnerability.
| Source | Added |
|---|---|
| CISA | Sep 19, 2023 |
Scanner integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nessus | https://www.tenable.com/plugins/nessus/181873 | Jun 02, 2025 |
Timeline
-
CVE ID Reserved
-
CVE Published to Public
-
Added to KEVIntel
-
Detected by Nessus