Impact
In a cluster deployment, MinIO returns all environment variables, including MINIO_SECRET_KEY
and MINIO_ROOT_PASSWORD
, resulting in information disclosure.
All users of distributed deployment are impacted. All users are advised to upgrade ASAP.
Patches
commit 3b5dbf90468b874e99253d241d16d175c2454077
Author: Harshavardhana <harsha@minio.io>
Date: Mon Mar 20 01:40:24 2023 -0700
allow bootstrapping to validate internode tokens (#16853)
Workarounds
There are no known workarounds.
References
The vulnerable code:
// minio/cmd/bootstrap-peer-server.go
func (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) {
ctx := newContext(r, w, "VerifyHandler")
cfg := getServerSystemCfg()
logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))
}
// minio/cmd/bootstrap-peer-server.go
func getServerSystemCfg() ServerSystemConfig {
envs := env.List("MINIO_")
envValues := make(map[string]string, len(envs))
for _, envK := range envs {
// skip certain environment variables as part
// of the whitelist and could be configured
// differently on each nodes, update skipEnvs()
// map if there are such environment values
if _, ok := skipEnvs[envK]; ok {
continue
}
envValues[envK] = env.Get(envK, "")
}
return ServerSystemConfig{
MinioEndpoints: globalEndpoints,
MinioEnv: envValues,
}
}
Impact
In a cluster deployment, MinIO returns all environment variables, including
MINIO_SECRET_KEY
and
MINIO_ROOT_PASSWORD
, resulting in information disclosure.All users of distributed deployment are impacted. All users are advised to upgrade ASAP.
Patches
Workarounds
There are no known workarounds.
References
The vulnerable code: