Rustfs
Monthly
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.
Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invalidly signed RPC requests, allowing attackers with log access to obtain authentication credentials and forge RPC calls. The vulnerability stems from improper error handling in the HTTP authentication module that logs sensitive cryptographic material. Public exploit code exists for this high-severity flaw, which is remediated in version 1.0.0-alpha.80.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files on the server. PoC available, fixed in alpha.79.
Stored XSS in RustFS distributed object storage system before 1.0.0-alpha.83. Malicious JavaScript persists in stored objects and executes when accessed. PoC available.
Insufficient input validation in RustFS versions 1.0.0-alpha.56 through 1.0.0-alpha.82 allows authenticated attackers to circumvent presigned POST upload policy restrictions, bypassing content-length-range, starts-with, and Content-Type controls. An attacker can exploit this to upload oversized files, write to arbitrary object keys, and spoof file types, resulting in storage exhaustion and potential unauthorized data access.
Rustfs versions up to 1.0.0 is affected by insertion of sensitive information into log file (CVSS 7.5).
RustFS is a distributed object storage system built in Rust. [CVSS 7.5 HIGH]
RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 expose the shared HMAC secret in server logs when processing invalidly signed RPC requests, allowing attackers with log access to obtain authentication credentials and forge RPC calls. The vulnerability stems from improper error handling in the HTTP authentication module that logs sensitive cryptographic material. Public exploit code exists for this high-severity flaw, which is remediated in version 1.0.0-alpha.80.
RustFS (alpha.13 to alpha.78) has a privilege escalation where restricted service accounts can self-issue unrestricted credentials by exploiting a flawed deny_only check in the IAM system. PoC available, patch available.
Incorrect IAM permission validation in RustFS prior to version 1.0.0-alpha.79 permits principals with export-only permissions to execute import operations, enabling unauthorized modification of users, groups, policies, and service accounts. Public exploit code exists for this vulnerability, and authenticated attackers can escalate privileges through malicious IAM imports. The issue affects all pre-1.0.0-alpha.79 versions with no patch currently available.
RustFS is a distributed object storage system built in Rust. [CVSS 4.0 MEDIUM]
RustFS (alpha.13 to alpha.78) has a path traversal in /rustfs/rpc/read_file_stream that allows reading arbitrary files on the server. PoC available, fixed in alpha.79.