信息泄露(CVE-2023-28432)根据公告可得,漏洞利用的前提是使用分布式部署。官方在 https://github.com/minio/minio/pull/8550 中引入bootstrap API 并于 RELEASE.2019-12-17T23-16-33Z发布,用于验证服务器配置。漏洞相关代码如下:// minio/cmd/bootstrap-peer-server.gofunc (b *bootstrapRESTServer) VerifyHandler(w http.ResponseWriter, r *http.Request) { ctx := newContext(r, w, "VerifyHandler") cfg := getServerSystemCfg() logger.LogIf(ctx, json.NewEncoder(w).Encode(&cfg))}// minio/cmd/bootstrap-peer-server.gofunc getServerSystemCfg() ServerSystemConfig { envs := env.List("MINIO_") envValues := make(map[string]string, len(envs)) for _, envK := range envs { // skip certain environment variables as part // of the whitelist and could be configured // differently on each nodes, update skipEnvs() // map if there are such environment values if
………………………………
