Rustfs
Monthly
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.
Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invalidly signed RPC requests, allowing attackers with log access to obtain authentication credentials and forge RPC calls. The vulnerability stems from improper error handling in the HTTP authentication module that logs sensitive cryptographic material. Public exploit code exists for this high-severity flaw, which is remediated in version 1.0.0-alpha.80.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files on the server. PoC available, fixed in alpha.79.
RustFS distributed object storage (all versions prior to 1.0.0-beta.2) leaks sensitive credentials - including SessionTokens (JWT), SecretAccessKeys, and full JWT claim payloads - in plaintext to server logs when debug-level logging is active. Any authenticated party with read access to those log files can harvest live credentials for lateral movement or unauthorized storage access. No public exploit identified at time of analysis, but the impact of credential exposure is high if debug logging is inadvertently enabled in production. A vendor-released patch is available in 1.0.0-beta.2.
License-enforcement bypass in RustFS distributed object storage (versions prior to 1.0.0-beta.2) stems from a hardcoded 2048-bit RSA private key (TEST_PRIVATE_KEY) shipped in crates/appauth/src/token.rs and used in production by parse_license() to verify license tokens. Any attacker who can read the public repository or extract the key from a compiled binary can mint arbitrary license tokens with any subject and expiration, defeating the license feature entirely. No public exploit identified at time of analysis, though the key material is trivially recoverable from the open-source code.
Unauthenticated information disclosure in RustFS exposes parsed license metadata - including license subject and expiration timestamp - via the console endpoint GET /rustfs/console/license to any network client that can reach the console listener, with no credentials required. All RustFS releases prior to 1.0.0-beta.2 are affected. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis, and the CVSS 4.0 confidentiality impact is rated Low given the non-sensitive nature of the disclosed data.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.
Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invalidly signed RPC requests, allowing attackers with log access to obtain authentication credentials and forge RPC calls. The vulnerability stems from improper error handling in the HTTP authentication module that logs sensitive cryptographic material. Public exploit code exists for this high-severity flaw, which is remediated in version 1.0.0-alpha.80.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files on the server. PoC available, fixed in alpha.79.