CVE-2023-28433: 
MinIO vulnerability analysis and mitigation

CVE-2023-28433 is a critical vulnerability affecting MinIO, a Multi-Cloud Object Storage framework. The vulnerability was discovered in Windows deployments prior to version RELEASE.2023-03-20T20-16-18Z. The issue stems from MinIO's failure to properly filter the backslash character (), which enables arbitrary object placement across buckets (MinIO Advisory, NVD).

The vulnerability occurs due to improper path validation in the hasBadPathComponent function, which fails to properly handle Windows-style path separators. This implementation flaw allows manipulation of object paths using backslashes. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows a user with low privileges (such as an access key, service account, or STS credential) who only has permission to PutObject in a specific bucket to escalate their privileges and create an admin user. This represents a significant security risk as it enables privilege escalation across bucket boundaries (MinIO Advisory).

The vulnerability has been patched in MinIO version RELEASE.2023-03-20T20-16-18Z. The fix includes two key commits: one to convert backslashes to forward slashes on Windows, and another to reject object names containing backslashes. There are no known workarounds for this vulnerability, making it critical for affected users to upgrade to the patched version (MinIO Advisory).