CVE-2023-28432
Description
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD
, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
Severity: HIGH
CVE ID: CVE-2023-28432
CVSS Score: 7.5
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Proof Of Concept
Nuclei Templates for CVE-2023-28432
Refrence: Project Discovery GitHub
Mr-xn
CVE-2023-28434 nuclei templates
Refrence: GitHub
gobysec
MiniO verify interface sensitive information disclosure vulnerability (CVE-2023-28432)
Refrence: GitHub
Okaytc
CVE-2023-28432,minio未授权访问检测工具
Refrence: GitHub
MzzdToT
MinIO敏感信息泄露漏洞批量扫描poc&exp
Refrence: GitHub
acheiii
CVE-2023-28432 POC
Refrence: GitHub
steponeerror
通过vulhub的复现过程实现了,基本的批量检测。比较垃圾但是勉强能用
Refrence: GitHub
Cuerz
CVE-2023-28432 MinIO敏感信息泄露检测脚本
Refrence: GitHub
LHXHL
Refrence: GitHub
h0ng10
Test environments for CVE-2023-28432, information disclosure in MinIO clusters
Refrence: GitHub
CHINA-china
Refrence: GitHub
TaroballzChen
MinIO Information Disclosure Vulnerability scanner by metasploit
Refrence: GitHub
bingtangbanli
CVE-2023-28432检测工具
Refrence: GitHub
Chocapikk
Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.
Refrence: GitHub
yTxZx
Refrence: GitHub
unam4
https://github.com/AbelChe/evil_minio/tree/main 打包留存
Refrence: GitHub
C1ph3rX13
CVE-2023-28432 Minio Information isclosure Exploit
Refrence: GitHub
netuseradministrator
Refrence: GitHub
xk-mt
minio系统存在信息泄露漏洞,未经身份认证的远程攻击,通过发送特殊POST请求到/minio/bootstrap/v1/verify即可获取所有敏感信息,其中包括MINIO_SECRET_KEY和MINIO_ROOT_PASSWORD,可能导致管理员账号密码泄露。
Refrence: GitHub
0xRulez
MinIO vulnerability exploit - CVE-2023-28432
Refrence: GitHub
Content on GitHub
Romanc9 | watchers:1
Gui-poc-test
A testing tool for CobaltStrike-RCE:CVE-2022-39197; Weblogic-RCE:CVE-2023-21839; MinIO:CVE-2023-28432
Refrence: GitHub
bingtangbanli | watchers:10
VulnerabilityTools
[CVE_2023_28432漏洞 、CVE_2023_32315漏洞、 ThinkPHP 2.x 任意代码执行漏洞 、ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞、 ThinkPHP5 5.0.23 远程代码执行漏洞 ThinkPHP 多语言本地文件包含漏洞]
Refrence: GitHub
peiqiF4ck | watchers:157
WebFrameworkTools-5.1-main
本软件首先集成危害性较大框架和部分主流cms的rce(无需登录,或者登录绕过执行rce)和反序列化(利用链简单)。傻瓜式导入url即可实现批量getshell。批量自动化测试。例如:Thinkphp,Struts2,weblogic。出现的最新漏洞进行实时跟踪并且更新例如:log4jRCE,向日葵 禅道RCE 瑞友天翼应用虚拟化系统sql注入导致RCE大华智慧园区上传,金蝶云星空漏洞等等.
Refrence: GitHub