Don't miss our Quarterly Roadmap Showcase, Thursday, October 24
CVE-2023-28432 is an information disclosure vulnerability in MinIO, a popular Multi-Cloud Object Storage framework. The vulnerability affects MinIO cluster deployments starting with RELEASE.2019-12-17T23-16-33Z and before RELEASE.2023-03-20T20-16-18Z. The vulnerability occurs when MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. The vulnerability has a CVSS score of 7.5, classified as high.
The vulnerability was discovered in March 2023. It impacts all users of distributed deployment, and users are advised to upgrade to mitigate the risk of information disclosure. The vulnerability could expose sensitive information, such as secret keys and passwords, to unauthorized parties.
The vulnerability has been actively exploited in the wild. In one incident, attackers exploited two known security vulnerabilities in the MinIO server: CVE-2023-28432 and CVE-2023-28434.
GreyNoise continues to see regular probes across their planetary scale sensor for MinIO deployments that are vulnerable to these exploits.
In 2023, OpenAI ChatGPT released a new feature that allows plugins to fetch live data from various providers. The example code provided by OpenAI for developers who want to integrate their plugins with the new feature utilizes a docker image for MinIO RELEASE.2022-03-17, which is vulnerable to CVE-2023-28432.
While no information suggests that any specific actor is targeting ChatGPT example instances, the vulnerability has been observed being actively exploited in the wild. To avoid potential data breaches, users should upgrade to a patched version of MinIO (RELEASE.2023-03-20T20-16-18Z) and integrate security tooling such as docker-cli-scan or use GitHub’s built-in monitoring for supply chain vulnerabilities.
