Lucene search
K

27 matches found

NVD
NVD
added 6 hours ago5 views

CVE-2026-55874

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS
Exploits0References4
Cvelist
Cvelist
added 7 hours ago7 views

CVE-2026-55874 SeaweedFS: Path traversal in the S3 gateway X-Amz-Copy-Source header allows cross-bucket object read

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS
Exploits0References4
CVE
CVE
added 7 hours ago10 views

CVE-2026-55874

SeaweedFS's S3 API gateway is affected prior to version 4.34 by a path traversal issue in the X-Amz-Copy-Source header (dot-dot segments) that can enable an authenticated user scoped to one bucket to read objects from other buckets via server-side copy. The issue is documented across CVE-2026-558...

7.7CVSS6AI score
Exploits0References4
EUVD
EUVD
added 7 hours ago2 views

EUVD-2026-42285

SeaweedFS is a distributed storage system. Prior to 4.34, the S3 API gateway does not reject dot-dot path segments in the X-Amz-Copy-Source header used by CopyObject and UploadPartCopy, allowing an authenticated identity scoped to one bucket to read objects from other buckets through server-side...

7.7CVSS6AI score
Exploits0References4
OSV
OSV
added 2026/06/30 11:51 p.m.5 views

BIT-SEAWEEDFS-2026-54917 SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage S3, file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter.SkipCleantrue. With path cleaning disabled, a .. segment inside the URL survives...

10CVSS5.8AI score0.00766EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/06/30 3:57 p.m.33 views

CVE-2026-58372 SeaweedFS < 4.34 - Cross-Bucket Object Deletion via DeleteObjects Request-Body Keys

SeaweedFS before 4.34 contains a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler that allows authenticated S3 principals with write access to a single bucket to delete arbitrary objects in other tenants' buckets by supplying object keys containing ../ sequences in the...

8.1CVSS0.00766EPSS
Exploits0References6
CVE
CVE
added 2026/06/30 3:57 p.m.12 views

CVE-2026-58372

SeaweedFS prior to 4.34 is affected by a path traversal vulnerability in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to a single bucket can delete arbitrary objects in other tenants’ buckets by sending object keys containing ../ in the DeleteObjects ...

8.1CVSS5.9AI score0.00766EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/06/30 12:0 a.m.9 views

PT-2026-53930

Name of the Vulnerable Software and Affected Versions SeaweedFS versions prior to 4.34 Description A path traversal issue exists in the S3 gateway DeleteMultipleObjectsHandler. Authenticated S3 principals with write access to one bucket can delete arbitrary objects in buckets belonging to other...

8.1CVSS6AI score0.00766EPSS
Exploits0References10
CVE
CVE
added 2026/06/26 8:1 p.m.15 views

CVE-2026-49991

RustFS 1.0.0-beta.4 is affected by a path traversal vulnerability in the Snowball auto-extract feature. Authenticated users with only PutObject permission on their own bucket can write arbitrary objects into other users’ buckets, breaking multi-tenant isolation. Root causes include: (1) No ../ sa...

8.6CVSS5.9AI score0.00273EPSS
Exploits0References1
CVE
CVE
added 2026/06/25 6:41 p.m.18 views

CVE-2026-54917

CVE-2026-54917 affects SeaweedFS prior to 4.30. The S3 gateway and Iceberg REST catalog gateway construct routers with mux.NewRouter().SkipClean(true); when path cleaning is disabled, a .. segment in URLs can survive routing (example: GET /bucket-A/../evil-bucket/key) and be parsed as a valid buc...

10CVSS5.9AI score0.00345EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/06/25 6:41 p.m.21 views

CVE-2026-54917 SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access

SeaweedFS is a distributed storage system for object storage S3, file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter.SkipCleantrue. With path cleaning disabled, a .. segment inside the URL survives...

7.8CVSS0.00345EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.9 views

CVE-2026-45042

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS5.5AI score0.00207EPSS
Exploits0References1
NVD
NVD
added 2026/05/28 7:16 p.m.16 views

CVE-2026-45042

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/28 6:32 p.m.9 views

CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 6:32 p.m.10 views

EUVD-2026-32995

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 6:32 p.m.33 views

CVE-2026-45042

RustFS is a distributed object storage system in Rust. Prior to 1.0.0-beta.2, the UploadPartCopy operation could copy objects across buckets without enforcing destination bucket policy on the source, because the implementation separately validates GetObject on the source and PutObject on the dest...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/28 6:32 p.m.7 views

CVE-2026-45042

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/05/28 6:32 p.m.39 views

CVE-2026-45042 RustFS: UploadPartCopy Does Not Enforce Destination Bucket Policy on Copy Source

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.12 views

PT-2026-44470

RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, improper authorization in the UploadPartCopy operation allows copying objects across buckets without enforcing destination bucket restrictions on allowed copy sources. The implementation validates GetObject...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.8 views

rustfs 安全漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-beta.2 contained a security vulnerability. This vulnerability stemmed from improper authorization in the UploadPartCopy operation, allowing objects to be copied across buckets without enforci...

7.1CVSS5.8AI score0.00207EPSS
Exploits0References1
Rows per page
Query Builder