Minio 漏洞列表

MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.

Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z. fofa: app="minio"

Minio default admin credentials were discovered.

shodan-query: title:"MinIO Browser"

fofa-query: app="MinIO-Console" shodan-query: title:"MinIO Console"

MinIO Browser API before version RELEASE.2021-01-30T00-20-58Z contains a server-side request forgery vulnerability.

MinIO Console is a graphical user interface for the for MinIO Operator. MinIO itself is a multi-cloud object storage project. Affected versions are subject to an authentication bypass issue in the Operator Console when an external IDP is enabled.

MinIO is susceptible to information disclosure. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD. An attacker can potentially obtain sensitive information, modify data, and/or execute unauthorized operations without entering necessary credentials. All users of distributed deployment are impacted.

The WordPress Social Login and Register (Discord, Google, Twitter, LinkedIn) plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 7.6.4. This is due to insufficient encryption on the user being supplied during a login validated through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they know the email address associated with that user. This was partially patched in version 7.6.4 and fully patched in version 7.6.5.

MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. The signature component of the authorization may be invalid, which would mean that as a client you can use any arbitrary secret to upload objects given the user already has prior WRITE permissions on the bucket. Prior knowledge of access-key, and bucket name this user might have access to - and an access-key with a WRITE permissions is necessary. However with relevant information in place, uploading random objects to buckets is trivial and easy via curl.

MinIO控制台是用于MinIO操作器的图形用户界面。MinIO本身是一个多云对象存储项目。当启用外部IDP时，受影响的版本会受到操作员控制台中身份验证绕过问题的影响。

弱口令漏洞指的是系统中使用了简单、容易猜测或常见的密码，导致攻击者可以通过猜测或暴力破解的方式轻易获取账户权限，进而访问或控制受影响的系统资源。这种漏洞通常由于缺乏有效的密码策略或用户对安全意识的忽视造成。

MinIO 是一种开源的对象存储服务，它兼容 Amazon S3 API，可以在私有云或公有云中使用。MinIO 是一种高性能、高可用性的分布式存储系统，它可以存储大量数据，并提供对数据的高速读写能力。MinIO 采用分布式架构，可以在多个节点上运行，从而实现数据的分布式存储和处理。MinIO verify接口存在敏感信息泄漏漏洞，攻击者通过构造特殊URL地址，读取系统敏感信息。

/

MinIO就是一款支持部署在私有云的开源对象存储系统。存在SSRF漏洞，攻击者可通过在http包的host处可控制访问ip和端口

Minio是Apache License v2.0下发布的对象存储服务器。它与AmazonS3云存储服务兼容。它最适合存储非结构化数据，如照片，视频，日志文件，备份和容器/VM映像。对象的大小可以从几KB到最大5TB。Minio服务器足够轻，可以与应用程序堆栈捆绑在一起，类似于NodeJS，Redis和MySQL。Minio服务器存在默认账密：AccessKey:minioadmin ，SecretKey: minioadmin。