CVE-2023-28432

What is MinIO?

MinIO is a high-performance, open-source object storage server that implements the Amazon S3 API, allowing applications built for AWS S3 to use self-hosted or on-premises storage. It is widely deployed in cloud-native environments, Kubernetes clusters, and data lake architectures for storing large volumes of unstructured data — backups, ML datasets, application artifacts, and log archives. MinIO instances often store sensitive data and are authenticated against with credentials that also grant access to connected cloud services and S3-compatible applications, making credential exposure a high-impact event.

Overview

CVE-2023-28432 is an information disclosure vulnerability (CWE-200) in MinIO cluster deployments: when MinIO's cluster environment is configured with MINIO_SECRET_KEY or MINIO_ROOT_PASSWORD set in environment variables, an HTTP POST to the /minio/health/cluster endpoint returns all environment variables to the caller without requiring authentication. This exposes the MinIO root password and any other secrets configured as environment variables — including cloud provider credentials, API keys, and database passwords. MinIO patched the issue in release RELEASE.2023-03-13T19-46-17Z. The credential leak enables the companion CVE-2023-28434 (privilege escalation) to be exploited with the extracted admin credentials.

Affected Versions

Cluster deployments where MINIO_SECRET_KEY, MINIO_ROOT_PASSWORD, or other sensitive credentials are set as environment variables are specifically at risk of credential exposure.

Technical Details

The MinIO health check endpoint at /minio/health/cluster is designed to allow monitoring systems to check cluster readiness. In the affected versions, this endpoint accepts HTTP POST requests and returns diagnostic information — including, in affected configurations, the full set of environment variables visible to the MinIO process. Because MinIO is commonly configured by passing credentials as environment variables (MINIO_ROOT_USER, MINIO_ROOT_PASSWORD), this unauthenticated endpoint exposes these credentials in the HTTP response body.

Exploitation is trivially simple:

POST /minio/health/cluster HTTP/1.1
Host: <minio-server>

The response body includes all MinIO environment variables in plaintext, including the root credentials.

With the root MINIO_ROOT_USER and MINIO_ROOT_PASSWORD in hand, an attacker has full MinIO administrator access — the ability to read all buckets and objects, create and delete buckets, and modify access policies. Combined with CVE-2023-28434, the attacker can also write objects to arbitrary buckets using lower-privilege credentials.

Discovery

The vulnerability was reported by security researchers. The same MinIO release (RELEASE.2023-03-13T19-46-17Z) patched both CVE-2023-28432 and CVE-2023-28434, suggesting they were discovered and reported together as a credential-leak-to-privilege-escalation chain.

Exploitation Context

Internet-accessible MinIO instances are regularly scanned by threat actors looking for misconfigured or unpatched deployments. A MinIO root credential leak is a high-value finding because:

• MinIO stores large volumes of data that may include sensitive business data, PII, or backups
• MinIO credentials often replicate to connected systems (applications configured to use the same credentials)
• Data lake and ML pipeline environments may have MinIO connected to downstream processing systems, expanding lateral movement opportunities

The CISA KEV addition (April 21, 2023) followed the patch (March 13, 2023) by about five weeks, reflecting rapid exploitation of internet-accessible MinIO instances after the vulnerability was publicly disclosed.

Remediation

1. Update MinIO to RELEASE.2023-03-13T19-46-17Z or later — this removes the unauthenticated environment variable disclosure endpoint.
2. Rotate all credentials used in the MinIO environment if the instance was internet-accessible while running a vulnerable version — assume MINIO_ROOT_PASSWORD and any other environment-variable secrets have been compromised.
3. Restrict MinIO health endpoints to internal networks and monitoring systems — the health check endpoints should not be accessible from the internet.
4. Audit access logs for POST requests to /minio/health/cluster from unexpected sources during the exposure window.
5. Also apply CVE-2023-28434 fix (same MinIO release) — the privilege escalation companion to this credential leak.
6. Prefer IAM policies and access keys over root credentials for application access to MinIO — limit the blast radius if credentials are ever leaked.