CVE-2023-28434: 
MinIO vulnerability analysis and mitigation

MinIO, a Multi-Cloud Object Storage framework, disclosed a critical security vulnerability (CVE-2023-28434) on March 22, 2023. The vulnerability allows an attacker to bypass metadata bucket name checking and put objects into any bucket while processing PostPolicyBucket. This vulnerability affects all versions prior to RELEASE.2023-03-20T20-16-18Z (MinIO Advisory, NVD).

The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue stems from an inconsistency between the check for routing post policy requests and preventing access to reserved buckets, which could lead to unauthorized access to system buckets. The vulnerability requires credentials with arn:aws:s3:::* permission and enabled Console API access to be exploited (MinIO Advisory).

The vulnerability allows attackers to bypass restrictions and write objects directly into system buckets, potentially leading to privilege escalation. This could expose sensitive information present within the compromised installation and facilitate remote code execution on the host where the MinIO application is operational (Hacker News).

The vulnerability has been patched in MinIO version RELEASE.2023-03-20T20-16-18Z. As a workaround, users can enable browser API access and turn off MINIO_BROWSER=off. Organizations are advised to update to the patched version immediately (MinIO Advisory).

The vulnerability has gained significant attention from the security community, leading to its inclusion in CISA's KEV catalog. This inclusion requires federal agencies to remediate the vulnerability according to CISA's directive (NVD).