x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-28432

[GoVulnBot]

CVE-2023-28432 references github.com/minio/minio, which may be a Go module.

Description:
Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-28432
• JSON: https://github.com/CVEProject/cvelist/tree/62be7ee36f0eead443ed7698fa19b4bd5afe10ad/2023/28xxx/CVE-2023-28432.json
• advisory: GHSA-6xvq-wj2x-3h3q
• web: https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z
• Imported by: https://pkg.go.dev/github.com/minio/minio?tab=importedby

Cross references:

• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2021-43858 #285 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-24842 #421 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-31028 #479 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2022-35919 #756 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-25812 #1591 EFFECTIVELY_PRIVATE
• Module github.com/minio/minio appears in issue x/vulndb: potential Go vuln in github.com/minio/minio: CVE-2023-27589 #1634 EFFECTIVELY_PRIVATE

See doc/triage.md for instructions on how to triage this report.

modules:
  - module: github.com/minio/minio
    packages:
      - package: minio
description: |
    Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
cves:
  - CVE-2023-28432
references:
  - advisory: https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
  - web: https://github.com/minio/minio/releases/tag/RELEASE.2023-03-20T20-16-18Z

[gopherbot]

Change https://go.dev/cl/478875 mentions this issue: data/excluded: batch add excluded reports

[gopherbot]

Change https://go.dev/cl/479297 mentions this issue: data/excluded: batch add GO-2023-1674, GO-2023-1671, GO-2023-1670, GO-2023-1669, GO-2023-1668, GO-2023-1667, GO-2023-1662, GO-2023-1661, GO-2023-1660, GO-2023-1659, GO-2023-1658, GO-2023-1657, GO-2023-1656, GO-2023-1655, GO-2023-1654, GO-2023-1653, GO-2023-1673, GO-2023-1666, GO-2023-1665

[gopherbot]

Change https://go.dev/cl/592760 mentions this issue: data/reports: unexclude 75 reports