CVE-2023-28432: 
MinIO vulnerability analysis and mitigation

CVE-2023-28432 is a critical information disclosure vulnerability discovered in MinIO, a Multi-Cloud Object Storage framework. The vulnerability affects MinIO cluster deployments starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z. The vulnerability has a CVSS score of 7.5 (High) and was disclosed on March 22, 2023 (NVD, GitHub Advisory).

The vulnerability occurs in the VerifyHandler function within the bootstrap-peer-server.go file of the MinIO source code. When MinIO returns all environment variables, it includes sensitive information such as MINIOSECRETKEY and MINIOROOTPASSWORD. The vulnerable code retrieves all environment variables that start with the MINIO_ prefix and returns them in the system configuration (GitHub Advisory).

The vulnerability can lead to the exposure of sensitive information, including secret keys and passwords, to unauthorized parties. This could allow attackers to access and manipulate data stored in the MinIO cluster without proper authorization. The vulnerability affects all users of distributed deployment (SentinelOne).

Users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z or later to mitigate the risk of information disclosure. The vulnerability was patched in commit 3b5dbf90468b874e99253d241d16d175c2454077. There are no known workarounds for this vulnerability (GitHub Release).