190 matches found
CVE-2026-27607 RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...
CVE-2026-27607
RustFS is affected by a vulnerability in versions 1.0.0-alpha.56 through 1.0.0-alpha.82 where presigned POST uploads (PostObject) do not validate policy conditions. The server bypasses content-length-range, starts-with, and Content-Type constraints, allowing unauthorized file uploads that can exc...
CVE-2026-27607 RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads PostObject, allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enabl...
rustfs 安全漏洞
RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS from 1.0.0-alpha.56 to 1.0.0-alpha.82 contain security vulnerabilities. These vulnerabilities stem from unvalidated pre-signed POST uploads, which may allow bypassing content length limits, start conditions...
rustfs 跨站脚本漏洞
RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-alpha.83 contained a cross-site scripting vulnerability. This vulnerability stems from stored-cross-site scripts and could lead to credential leakage and account takeover attacks...
PT-2026-21848
Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.83 Description RustFS is a distributed object storage system built in Rust. A Stored Cross-Site Scripting XSS vulnerability exists in the RustFS Console, allowing an attacker to execute arbitrary JavaScript...
CVE-2026-24762
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
GHSA-R54G-49RX-98CR RustFS Logs Sensitive Credentials in Plaintext
Summary RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive...
RustFS Logs Sensitive Credentials in Plaintext
Summary RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive...
GHSA-FC6G-2GCP-2QRQ RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...
RustFS has SourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
Summary IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. Details - Vulnerable code: rustfs/src/auth.rs:289-304 sets...
CVE-2026-24762
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2026-21862
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...
CVE-2026-24762
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2026-24762 RustFS Logs Sensitive Credentials in Plaintext
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2026-24762 RustFS Logs Sensitive Credentials in Plaintext
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2026-24762 RustFS Logs Sensitive Credentials in Plaintext
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
EUVD-2026-5218
RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material access key, secret key, session token to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be...
CVE-2026-24762
RustFS exposes credentials in plaintext in logs across versions alpha.13–alpha.81 due to logging sensitive credential material (access key, secret key, session token) at INFO level. This information disclosure could allow internal or external log consumers to obtain credentials and compromise Rus...
CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers
RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...