{"id":22799880,"url":"https://github.com/chocapikk/cve-2023-28432","last_synced_at":"2025-04-13T17:08:13.022Z","repository":{"id":206950483,"uuid":"687511506","full_name":"Chocapikk/CVE-2023-28432","owner":"Chocapikk","description":"Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.","archived":false,"fork":false,"pushed_at":"2023-09-05T14:02:34.000Z","size":4,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":2,"default_branch":"main","last_synced_at":"2024-12-12T07:10:07.406Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Chocapikk.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2023-09-05T14:01:53.000Z","updated_at":"2024-08-12T20:32:41.000Z","dependencies_parsed_at":"2023-11-13T11:26:15.211Z","dependency_job_id":"d26e7dd1-a77d-464f-84a1-7bca9d9c7b1c","html_url":"https://github.com/Chocapikk/CVE-2023-28432","commit_stats":null,"previous_names":["chocapikk/cve-2023-28432"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2023-28432","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2023-28432/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2023-28432/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Chocapikk%2FCVE-2023-28432/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Chocapikk","download_url":"https://codeload.github.com/Chocapikk/CVE-2023-28432/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237381413,"owners_count":19300927,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-12-12T07:10:09.850Z","updated_at":"2025-02-05T21:47:30.587Z","avatar_url":"https://github.com/Chocapikk.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Minio Environment Variables Exploit (CVE-2023-28432)\n\n## Overview\n\nMinio is a Multi-Cloud Object Storage framework. In specific versions of the framework, specifically those deployed in clusters starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, there is a significant vulnerability where Minio returns all environment variables. This includes critical data such as `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, leading to a potential information disclosure. All users of the distributed deployment are affected.\n\n**CVE Identifier:** CVE-2023-28432  \n**Severity:** HIGH (Base Score: 7.5)  \n**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\n\nFor more detailed information, please refer to the official NIST page: [CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432).\n\n## Pre-requisites\n\nTo exploit this vulnerability using the provided code:\n\n1. You should have Python installed in your environment.\n2. Ensure all dependencies are installed from the `requirements.txt` file. This can be done with the command:\n\n   ```\n   pip install -r requirements.txt\n   ```\n\n3. If you want to leverage Leakix for URL discovery, ensure you have a PRO account with Leakix, as basic users cannot access the bulk feature and MinioPlugin. Furthermore, configure the script with your Leakix API key. \n\n## Usage\n\nTo use the exploit script:\n\n1. If you want to check a single URL:\n\n   ```\n   python exploit_script.py -u [URL_TO_CHECK]\n   ```\n\n2. If you have a list of URLs you want to check, save them in a file (one URL per line) and use:\n\n   ```\n   python exploit_script.py -f [PATH_TO_FILE]\n   ```\n\n3. If you want to fetch URLs based on leaks from Leakix:\n\n   ```\n   python exploit_script.py --leakpy\n   ```\n\n   **Note:** Ensure your Leakix API key is configured correctly in the script if you wish to use this feature.\n\n4. To save the results to an output file:\n\n   ```\n   python exploit_script.py [OTHER_ARGUMENTS] -o [OUTPUT_FILE_PATH]\n   ```\n\n5. For verbose mode (provides more detailed information on the console):\n\n   ```\n   python exploit_script.py [OTHER_ARGUMENTS] --verbose\n   ```\n\n## Caution\n\nRemember that scanning and exploiting servers without permission is illegal. Only use this tool on systems you own or have explicit permission to test. \n\n## Recommendations\n\nAll Minio users affected by this vulnerability are advised to upgrade to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2023-28432","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fchocapikk%2Fcve-2023-28432","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fchocapikk%2Fcve-2023-28432/lists"}