MinIO Information Disclosure (CVE-2023-28432)
Description
MinIO versions prior to the patched release contain an information disclosure vulnerability in cluster deployment configurations. The vulnerability allows unauthenticated remote attackers to access the /minio/bootstrap/v1/verify endpoint, which exposes all environment variables configured on the MinIO server. These environment variables often contain sensitive credentials, API keys, and configuration secrets that can be leveraged for complete system compromise.
Remediation
Immediately upgrade MinIO to version RELEASE.2023-03-20T20-16-18Z or later, which addresses this vulnerability. For deployments that cannot be immediately upgraded: (1) Restrict network access to MinIO administrative endpoints using firewall rules or network segmentation to allow only trusted IP addresses, (2) Implement a reverse proxy with authentication in front of MinIO to control access to sensitive endpoints, (3) Rotate all credentials and secrets that may have been exposed through environment variables, (4) Review access logs for unauthorized access attempts to the /minio/bootstrap/v1/verify endpoint to identify potential compromise.