What is CVE-2023-28434?

A high-severity vulnerability in Minio allows attackers to bypass metadata bucket name checking. Organizations should implement patches immediately to prevent unauthorized access.

What is the severity of CVE-2023-28434?

CVE-2023-28434 has a severity rating of HIGH with a CVSS base score of 8.8.

Is CVE-2023-28434 in CISA KEV?

Yes. CVE-2023-28434 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2023-28434 | High Vulnerability in Minio

The vulnerability identified as CVE-2023-28434 affects Minio, a Multi-Cloud Object Storage framework. This issue allows an attacker to bypass metadata bucket name checking, enabling them to put objects into any bucket while processing `PostPolicyBucket`. The vulnerability is classified as high severity, with a CVSS score of 8.8, indicating a significant risk to organizations using affected versions of Minio.

The exploitation of this vulnerability requires that the attacker possesses credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. The urgency of patching this vulnerability is critical, as it may lead to unauthorized access and potential privilege escalation.

Organizations should prioritize patching immediately. The issue has been addressed in the release dated March 20, 2023. As a temporary workaround, users can enable browser API access and disable the environment variable `MINIO_BROWSER=off`.

The vulnerability was published on March 22, 2023, and has been categorized under the CWE-269 classification, which denotes improper privilege management. The impact can be severe, affecting confidentiality, integrity, and availability.

Vulnerability Details

Minio is a widely used multi-cloud object storage framework. The vulnerability arises due to insufficient validation of bucket names while processing specific API requests. Prior to the patch, crafted requests could exploit this flaw, allowing unauthorized object uploads to any bucket.

With a CVSS score of 8.8, this vulnerability is considered high severity. The nature of the attack vector is network-based, requiring low complexity, and it only necessitates low privileges. No user interaction is needed for exploitation.

The potential for confidentiality, integrity, and availability impact is high, with attackers being able to manipulate data within the storage framework.

Technical Analysis

The root cause of this vulnerability lies in improper validation during bucket name processing. Attackers can leverage crafted requests to bypass necessary checks, leading to unauthorized data handling.

The attack vector is network-based, and the attack complexity is low, requiring minimal effort from the attacker. The privileges required are also low, making it accessible for exploitation by unauthorized individuals with limited access.

No user interaction is required to exploit this vulnerability, further increasing its risk profile. The impacts on confidentiality, integrity, and availability are significant, as attackers can potentially manipulate or destroy critical data.

Risk & Impact Analysis

Risk to organizations includes exposure to unauthorized access and potential privilege escalation. The blast radius can be extensive, affecting multiple users and potentially leading to significant data breaches.

Given the CVSS score of 8.8, organizations are urged to address this vulnerability in their priority patch cycle. Failure to do so may result in critical data exposure and compromise of sensitive information.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

The vulnerability affects all versions of Minio prior to the patch released on March 20, 2023.

Mitigation & Remediation

Organizations are advised to apply the patch released on March 20, 2023, to remediate this vulnerability. If the patch cannot be applied immediately, enabling browser API access and turning off `MINIO_BROWSER=off` can serve as a temporary workaround.

For further details and guidance, organizations can consider engaging in penetration testing to validate their security posture.

Detection Guidance

Organizations should monitor logs for any indicators of unauthorized access attempts or unusual API requests that may indicate exploitation of this vulnerability.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2023-28434 underscores the necessity for organizations to maintain robust security practices around their cloud storage solutions. This vulnerability highlights the importance of stringent access control mechanisms and regular security assessments.

Organizations should also stay informed about emerging vulnerabilities and trends in cloud security. Implementing a vulnerability management program can aid in identifying and mitigating similar risks in the future.

For teams utilizing Minio, it is essential to conduct cloud penetration testing to ensure that their configurations are secure and resilient against potential attacks.

Finally, leveraging penetration testing methodologies can help organizations proactively identify and remediate vulnerabilities before they are exploited.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-28434: High Vulnerability in Minio