Impact
RustFS is a distributed object storage system built in Rust. From version 1.0.0-alpha.1 through 1.0.0-beta.9, the FTP frontend fails to invoke IAM authorization when processing read and probe operations, allowing any authenticated FTP user to retrieve or inspect objects in any bucket regardless of their IAM policy. This flaw can lead to the disclosure of sensitive data to users who should not have access, violating confidentiality.
Affected Systems
RustFS version 1.0.0-alpha.1 to with the FTP frontend enabled is affected. Any authenticated user connecting to the FTP listener can exploit the bypass.
Risk and Exploitability
The CVSS score of 7.7 indicates a high severity. The EPSS score is unavailable and the vulnerability is not listed in the CISA KEV catalog. Attackers must have network access to the FTP listener and be able to authenticate with any FTP credentials. Once authenticated, an attacker can read or probe any object in any bucket, regardless of IAM policy restrictions. The absence of additional prerequisites makes the exploit straightforward for automated scanners, increasing.
OpenCVE Enrichment