https://github.com/chocapikk/cve-2023-28432
Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.
https://github.com/chocapikk/cve-2023-28432
Last synced: about 1 year ago
JSON representation
Automated vulnerability scanner for CVE-2023-28432 in Minio deployments, revealing sensitive environment variables.
- Host: GitHub
- URL: https://github.com/chocapikk/cve-2023-28432
- Owner: Chocapikk
- Created: 2023-09-05T14:01:53.000Z (almost 3 years ago)
- Default Branch: main
- Last Pushed: 2023-09-05T14:02:34.000Z (almost 3 years ago)
- Last Synced: 2024-12-12T07:10:07.406Z (over 1 year ago)
- Language: Python
- Size: 3.91 KB
- Stars: 3
- Watchers: 2
- Forks: 1
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# Minio Environment Variables Exploit (CVE-2023-28432)
## Overview
Minio is a Multi-Cloud Object Storage framework. In specific versions of the framework, specifically those deployed in clusters starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, there is a significant vulnerability where Minio returns all environment variables. This includes critical data such as `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, leading to a potential information disclosure. All users of the distributed deployment are affected.
**CVE Identifier:** CVE-2023-28432
**Severity:** HIGH (Base Score: 7.5)
**Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
For more detailed information, please refer to the official NIST page: [CVE-2023-28432](https://nvd.nist.gov/vuln/detail/CVE-2023-28432).
## Pre-requisites
To exploit this vulnerability using the provided code:
1. You should have Python installed in your environment.
2. Ensure all dependencies are installed from the `requirements.txt` file. This can be done with the command:
```
pip install -r requirements.txt
```
3. If you want to leverage Leakix for URL discovery, ensure you have a PRO account with Leakix, as basic users cannot access the bulk feature and MinioPlugin. Furthermore, configure the script with your Leakix API key.
## Usage
To use the exploit script:
1. If you want to check a single URL:
```
python exploit_script.py -u [URL_TO_CHECK]
```
2. If you have a list of URLs you want to check, save them in a file (one URL per line) and use:
```
python exploit_script.py -f [PATH_TO_FILE]
```
3. If you want to fetch URLs based on leaks from Leakix:
```
python exploit_script.py --leakpy
```
**Note:** Ensure your Leakix API key is configured correctly in the script if you wish to use this feature.
4. To save the results to an output file:
```
python exploit_script.py [OTHER_ARGUMENTS] -o [OUTPUT_FILE_PATH]
```
5. For verbose mode (provides more detailed information on the console):
```
python exploit_script.py [OTHER_ARGUMENTS] --verbose
```
## Caution
Remember that scanning and exploiting servers without permission is illegal. Only use this tool on systems you own or have explicit permission to test.
## Recommendations
All Minio users affected by this vulnerability are advised to upgrade to RELEASE.2023-03-20T20-16-18Z or later to resolve the issue.