CVE-2023-28434

Description

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::\* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER\=off.

GitHub, Inc.
Severity: HIGH
CVE ID: CVE-2023-28434
CVSS Score: 8.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

AbelChe

EXP for CVE-2023-28434 MinIO unauthorized to RCE

Refrence: GitHub

Content on GitHub

Mr-xn | watchers:31

CVE-2023-28432
CVE-2023-28434 nuclei templates

Refrence: GitHub

Description​

Proof Of Concept​

Content on GitHub​

Description

Proof Of Concept

Content on GitHub