fix-template

cves/2023/CVE-2023-28432.yaml

@@ -1,9 +1,11 @@
 id: CVE-2023-28432
 info:
-  name: Minio post policy request security bypass
+  name: Minio Information Disclosure in Cluster Deployment
   author: Mr-xn
   severity: high
-  description: Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
+  description: |
+    Minio is a Multi-Cloud Object Storage framework. In a cluster deployment starting with RELEASE.2019-12-17T23-16-33Z and prior to RELEASE.2023-03-20T20-16-18Z, MinIO returns all environment variables, including MINIO_SECRET_KEY and MINIO_ROOT_PASSWORD, resulting in information disclosure. All users of distributed deployment are impacted. All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z.
+  remediation: All users are advised to upgrade to RELEASE.2023-03-20T20-16-18Z
   reference:
     - https://github.com/minio/minio/security/advisories/GHSA-6xvq-wj2x-3h3q
     - https://github.com/minio/minio/pull/16853/files
@@ -14,7 +16,10 @@ info:
     cvss-score: 7.5
     cve-id: CVE-2023-28432
     cwe-id: CWE-200
-  tags: cve,cve2023,
+  metadata:
+    verified: "true"
+    shodan-query: title:"Minio Console"
+  tags: cve,cve2023,minio,console
 requests:
   - raw:
       - |+
@@ -27,11 +32,16 @@ requests:
       - type: word
         part: body
         words:
-          - '"MinioEndpoints"'
+          - '"MINIO_KMS_SECRET_KEY":'
+          - '"MINIO_ROOT_PASSWORD":'
+          - '"MINIO_ROOT_USER":'
+        condition: and
+
       - type: word
         part: header
         words:
-          - 'Content-Type: text/plain'
+          - 'text/plain'
+
       - type: status
         status:
           - 200