cve/2023/CVE-2023-28434.md

### [CVE-2023-28434](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-28434)
![](https://img.shields.io/static/v1?label=Product&message=minio&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3D%20%3C%20RELEASE.2023-03-20T20-16-18Z%20&color=brighgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-269%3A%20Improper%20Privilege%20Management&color=brighgreen)

### Description

Minio is a Multi-Cloud Object Storage framework. Prior to RELEASE.2023-03-20T20-16-18Z, an attacker can use crafted requests to bypass metadata bucket name checking and put an object into any bucket while processing `PostPolicyBucket`. To carry out this attack, the attacker requires credentials with `arn:aws:s3:::*` permission, as well as enabled Console API access. This issue has been patched in RELEASE.2023-03-20T20-16-18Z. As a workaround, enable browser API access and turn off `MINIO_BROWSER=off`.

### POC

#### Reference
No PoCs from references.

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/AbelChe/evil_minio
- https://github.com/CVEDB/awesome-cve-repo
- https://github.com/CVEDB/top
- https://github.com/MiracleAnameke/Cybersecurity-Vulnerability-and-Exposure-Report
- https://github.com/Mr-xn/CVE-2023-28432
- https://github.com/Mr-xn/CVE-2023-28434
- https://github.com/Mr-xn/Penetration_Testing_POC
- https://github.com/Ostorlab/KEV
- https://github.com/Ostorlab/known_exploited_vulnerbilities_detectors
- https://github.com/aneasystone/github-trending
- https://github.com/hktalent/TOP
- https://github.com/johe123qwe/github-trending
- https://github.com/lions2012/Penetration_Testing_POC
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/oxMdee/Cybersecurity-Vulnerability-and-Exposure-Report
- https://github.com/taielab/awesome-hacking-lists