BIT-minio-2023-28434
See a problem?- Import Source
- https://github.com/bitnami/vulndb/tree/main/data/minio/BIT-minio-2023-28434.json
- JSON Data
- https://api.osv.dev/v1/vulns/BIT-minio-2023-28434
- Aliases
- Published
- 2024-03-06T10:56:17Z
- Modified
- 2024-03-06T11:25:28.861Z
- Summary
- [none]
- Details
-
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing
PostPolicyBucket. To carry out this attack, the attacker requires credentials witharn:aws:s3:::*permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn offMINIO_BROWSER=off. - Database specific
{ "cpes": [ "cpe:2.3:a:minio:minio:*:*:*:*:*:*:*:*" ], "severity": "High" }- References
Affected packages
Bitnami / minio
Package
- Name
- minio
- Purl
- pkg:bitnami/minio
Severity
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator