High severityCISA KEVNVD Advisory· Published Mar 22, 2023· Updated Oct 21, 2025
MinIO is vulnerable to privilege escalation on Linux/MacOS
CVE-2023-28434
Description
Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing PostPolicyBucket. To carry out this attack, the attacker requires credentials with arn:aws:s3:::* permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off MINIO_BROWSER=off.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/minio/minioGo | < 0.0.0-202303200415 | 0.0.0-202303200415 |
Affected products
19- osv-coords18 versionspkg:apk/chainguard/miniopkg:apk/chainguard/minio-bitnami-2024-compatpkg:apk/chainguard/minio-bitnami-2025-compatpkg:apk/chainguard/minio-iamguarded-2025-compatpkg:apk/wolfi/miniopkg:apk/wolfi/minio-bitnami-2024-compatpkg:apk/wolfi/minio-bitnami-2025-compatpkg:apk/wolfi/minio-iamguarded-2025-compatpkg:bitnami/miniopkg:deb/ubuntu/golang-github-minio-minio-go?arch=src?distro=esm-apps/bionicpkg:deb/ubuntu/golang-github-minio-minio-go?arch=src?distro=focalpkg:deb/ubuntu/golang-github-minio-minio-go?arch=src?distro=jammypkg:deb/ubuntu/golang-github-minio-minio-go?arch=src?distro=noblepkg:deb/ubuntu/golang-github-minio-minio-go?arch=src?distro=oracularpkg:deb/ubuntu/golang-github-minio-minio-go-v7?arch=src?distro=jammypkg:deb/ubuntu/golang-github-minio-minio-go-v7?arch=src?distro=noblepkg:deb/ubuntu/golang-github-minio-minio-go-v7?arch=src?distro=oracularpkg:golang/github.com/minio/minio
< 0.20230413.030807-r0+ 17 more
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 0.20230413.030807-r0
- (no CPE)range: < 2023.03.20
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: >= 0
- (no CPE)range: < 0.0.0-202303200415
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-2pxw-r47w-4p8cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-28434ghsaADVISORY
- github.com/minio/minio/commit/67f4ba154a27a1b06e48bfabda38355a010dfca5ghsax_refsource_MISCWEB
- github.com/minio/minio/pull/16849ghsax_refsource_MISCWEB
- github.com/minio/minio/security/advisories/GHSA-2pxw-r47w-4p8cghsax_refsource_CONFIRMWEB
- www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB
News mentions
0No linked articles in our index yet.