9 matches found
CVE-2026-55874 SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...
CVE-2026-55874
SeaweedFS's S3 API gateway is affected prior to version 4.34 by a path traversal issue in the X-Amz-Copy-Source header (dot-dot segments) that can enable an authenticated user scoped to one bucket to read objects from other buckets via server-side copy. The issue is documented across CVE-2026-558...
EUVD-2026-42285
SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...
CVE-2026-39360
RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path UploadPartCopy. A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an...
CVE-2026-45042
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...
CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...
CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...
EUVD-2026-19867
RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration...
CVE-2026-39360 RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
RustFS is a distributed object storage system built in Rust. Prior to alpha.90, RustFS contains a missing authorization check in the multipart copy path UploadPartCopy. A low-privileged user who cannot read objects from a victim bucket can still exfiltrate victim objects by copying them into an...