Impact
The vulnerability lies in the ListRemoteTargetHandler within RustFS's bucket replication admin API. An authenticated user, regardless of their role, can invoke this handler to list remote replication targets. Because the handler only verifies the presence of credentials and does not enforce permission checks, the returned BucketTarget objects reveal remote target access keys and secrets. The disclosure of these credentials enables an attacker to access the replication target directly, compromising confidentiality of stored data and potentially facilitating further attacks on the target system.
Affected Systems
The affected product is RustFS, a distributed object storage system written in Rust. Releases from version 1.0.0-alpha.1 through 1.0.0-beta.8 contain the flaw. No other vendors are mentioned. The issue is specific to these versions; version 1.0.0-beta.9 and later contain a fix.
Risk and Exploitability
The CVSS score is 8.2, categorizing the vulnerability as high severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. The lack of a privilege check means any authenticated user can exploit the flaw; the attack vector is the REST API, requiring only valid authentication tokens. Because the API is exposed to the network, an attacker can repeatedly call the endpoint to enumerate replication targets and leak credentials. The impact is limited to confidentiality loss, but the exposed credentials could be leveraged for further attacks. Organizations should treat the issue as high risk and address it promptly.
OpenCVE Enrichment