CVE-2023-28433

HIGH Year: 2023
CVSS v3 Score
8.8
High
Weakness Type
CWE-668
View all →

Vulnerability Description

Minio is a Multi-Cloud Object Storage framework. All users on Windows prior to version RELEASE.2023-03-20T20-16-18Z are impacted. MinIO fails to filter the `\` character, which allows for arbitrary object placement across buckets. As a result, a user with low privileges, such as an access key, service account, or STS credential, which only has permission to `PutObject` in a specific bucket, can create an admin user. This issue is patched in RELEASE.2023-03-20T20-16-18Z. There are no known workarounds.

Related Vulnerabilities

CVE-2016-10840

HIGH
CVSS:8.8(High)

cPanel before 11.54.0.4 allows arbitrary code execution during locale duplication (SEC-72).

CWE-6682016

CVE-2017-0367

HIGH
CVSS:8.8(High)

Mediawiki before 1.28.1 / 1.27.2 contains an unsafe use of temporary directory, where having LocalisationCache directory default to system tmp directory is insecure.

CWE-6682017

CVE-2017-15393

HIGH
CVSS:8.8(High)

Insufficient Policy Enforcement in Devtools remote debugging in Google Chrome prior to 62.0.3202.62 allowed a remote attacker to obtain access to remote debugging functionality via a crafted HTML page...

CWE-6682017

CVE-2017-15592

HIGH
CVSS:8.8(High)

An issue was discovered in Xen through 4.9.x allowing x86 HVM guest OS users to cause a denial of service (hypervisor crash) or possibly gain privileges because self-linear shadow mappings are mishand...

CWE-6682017

CVE-2018-20321

HIGH
CVSS:8.8(High)

An issue was discovered in Rancher 2 through 2.1.5. Any project member with access to the default namespace can mount the netes-default service account in a pod, and then use that pod to execute admin...

CWE-6682018

CVE-2019-12274

HIGH
CVSS:8.8(High)

In Rancher 1 and 2 through 2.2.3, unprivileged users (if allowed to deploy nodes) can gain admin access to the Rancher management plane because node driver options intentionally allow posting certain ...

CWE-6682019