CVE-2023-28432 Overview
CVE-2023-28432 is a critical information disclosure vulnerability affecting MinIO, a popular Multi-Cloud Object Storage framework. In cluster deployments starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables through an unauthenticated API endpoint, including sensitive credentials such as MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. This vulnerability allows remote attackers to obtain administrative credentials without authentication, potentially leading to complete compromise of the storage infrastructure.
Critical Impact
This vulnerability is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog and is actively being exploited in the wild. Attackers can obtain root credentials to MinIO clusters, enabling unauthorized access to stored data, data exfiltration, and potential lateral movement within cloud environments.
Affected Products
- MinIO cluster deployments from RELEASE.2019-12-17T23-16-33Z to before RELEASE.2023-03-20T20-16-18Z
- MinIO distributed deployment configurations
- MinIO containerized deployments in multi-node configurations
Discovery Timeline
- 2023-03-22 - CVE-2023-28432 published to NVD
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2023-28432
Vulnerability Analysis
This information disclosure vulnerability (CWE-200) exists in MinIO's cluster bootstrap verification endpoint. When MinIO operates in distributed mode, the /minio/bootstrap/verify endpoint is exposed to handle cluster node verification during startup. However, this endpoint lacks proper authentication controls and inadvertently returns all environment variables configured for the MinIO process.
The vulnerability is particularly severe because MinIO stores critical authentication credentials as environment variables, including MINIO_SECRET_KEY (used in older versions) and MINIO_ROOT_PASSWORD (used in newer versions). An attacker who can reach this endpoint can harvest these credentials and gain full administrative access to the MinIO deployment.
According to GreyNoise tracking data, active exploitation of this vulnerability has been observed in the wild, with attackers scanning for vulnerable MinIO instances across the internet.
Root Cause
The root cause of this vulnerability lies in the improper access control implementation for the bootstrap verification endpoint in MinIO's distributed deployment mode. The endpoint was designed for internal cluster communication during node synchronization but was inadvertently exposed without authentication requirements. When a POST request is made to the /minio/bootstrap/verify endpoint, the server responds with environment variable data as part of its verification response, exposing sensitive configuration including authentication credentials.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the vulnerable endpoint on any exposed MinIO cluster node. The attack flow typically involves:
- Reconnaissance to identify MinIO instances (typically running on port 9000)
- Sending a POST request to /minio/bootstrap/verify with appropriate headers
- Parsing the response to extract MINIO_ROOT_PASSWORD or MINIO_SECRET_KEY
- Using harvested credentials to authenticate as administrator
The vulnerability can be exploited remotely with a simple HTTP POST request to the bootstrap verification endpoint. Attackers send a request to /minio/bootstrap/verify with the content type set to application/x-www-form-urlencoded, and the server responds with all environment variables including MINIO_ROOT_USER and MINIO_ROOT_PASSWORD. See the GitHub Security Advisory for complete technical details.
Detection Methods for CVE-2023-28432
Indicators of Compromise
- Unexpected HTTP POST requests to /minio/bootstrap/verify endpoint from external IP addresses
- Authentication events using MinIO root credentials from unfamiliar sources or IP addresses
- Anomalous API activity or data access patterns following potential credential exposure
- Network traffic analysis showing responses containing environment variable data
Detection Strategies
- Monitor web server access logs for POST requests targeting /minio/bootstrap/verify endpoint
- Implement network intrusion detection rules to alert on bootstrap verification endpoint access from untrusted networks
- Review MinIO audit logs for authentication events using root credentials from unexpected sources
- Leverage threat intelligence feeds such as GreyNoise to identify known malicious IPs scanning for this vulnerability
Monitoring Recommendations
- Configure alerting for any external access attempts to MinIO bootstrap endpoints
- Implement continuous monitoring of MinIO authentication logs for credential misuse
- Deploy network segmentation monitoring to detect unauthorized access to storage infrastructure
- Regularly audit MinIO access logs and correlate with threat intelligence for known exploitation attempts
How to Mitigate CVE-2023-28432
Immediate Actions Required
- Upgrade MinIO to RELEASE.2023-03-20T20-16-18Z or later immediately
- Rotate all MinIO credentials (MINIO_ROOT_USER, MINIO_ROOT_PASSWORD, MINIO_SECRET_KEY) after upgrading
- Review access logs for evidence of exploitation and unauthorized access
- Restrict network access to MinIO management endpoints using firewall rules or network segmentation
- Audit all data accessed using potentially compromised credentials
Patch Information
MinIO has released a security patch in version RELEASE.2023-03-20T20-16-18Z that addresses this vulnerability. The fix implements proper access controls on the bootstrap verification endpoint to prevent unauthorized access to environment variables. All users of distributed MinIO deployments should upgrade to this version or later. The patched release is available from the MinIO GitHub releases page. Additional details are available in the GitHub Security Advisory.
Workarounds
- Block external access to the /minio/bootstrap/verify endpoint using a reverse proxy or web application firewall
- Implement network-level restrictions to ensure only trusted cluster nodes can communicate on MinIO ports
- Deploy MinIO behind a VPN or private network segment to limit exposure
- Use container image scanning tools to identify vulnerable MinIO versions in your environment, as recommended by GreyNoise
# Example nginx configuration to block bootstrap endpoint
location /minio/bootstrap/verify {
deny all;
return 403;
}
# Firewall rule to restrict MinIO access (iptables example)
iptables -A INPUT -p tcp --dport 9000 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 9000 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
