Closed
Description
CVE-2023-28433 references github.com/minio/minio, which may be a Go module.
Description:
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the \ character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to PutObject in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-28433
- JSON: https://github.com/CVEProject/cvelist/tree/62be7ee36f0eead443ed7698fa19b4bd5afe10ad/2023/28xxx/CVE-2023-28433.json
- web: https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
- advisory: GHSA-w23q-4hw3-2pp6
- fix: minio/minio@8d6558b
- fix: minio/minio@b3c54ec
- Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby
Cross references:
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
- Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/minio/minio
packages:
- package: minio
description: |
Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.
cves:
- CVE-2023-28433
references:
- web: https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
- advisory: https://github.com/minio/minio/security/advisories/GHSA-w23q-4hw3-2pp6
- fix: https://github.com/minio/minio/commit/8d6558b23649f613414c8527b58973fbdfa4d1b8
- fix: https://github.com/minio/minio/commit/b3c54ec81e0a06392abfb3a1ffcdc80c6fbf6ebc