← ExploitWatch
HomeExploited Vulnerabilities

CVE-2023-28434 — Actively Exploited: MinIO (MinIO)

MinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:

CVE IDCVE-2023-28434
VendorMinIO
ProductMinIO
Vulnerability nameMinIO Security Feature Bypass Vulnerability
Date added2023-09-19
Remediation due2023-10-10
Known ransomware useUnknown
Required actionApply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
DescriptionMinIO contains a security feature bypass vulnerability that allows an attacker to use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket` to conduct privilege escalation. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access.
SourceCISA Known Exploited Vulnerabilities

🔍 Search all exploited vulnerabilities →