Impact
RustFS 1.0.0-beta.7 and earlier allow any authenticated IAM user to call the /rustfs/admin/v3 which should have been protected by admin‑level authorization. The omission of the validate_admin_request call lets users obtain server‑wide operational metrics including disk I/O, network throughput, scanner cycle timing, and cluster RPC state. While the data itself may not reveal credentials, it provides attackers with valuable insight into cluster activity, resource usage, and potential bottlenecks that can aid in planning further attacks or reducing detection. The vulnerability is anchored in an improper privilege check (CWE‑862).
Affected Systems
The flaw affects RustFS distributed object storage with product identifier rustfs:rustfs. Versions 1.0.0‑beta.7 and all earlier releases are vulnerable. Later releases have hardened the metrics endpoint via proper admin authorization.
Risk and Exploitability
The CVSS score of 4.3 indicates moderate impact; the EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires legitimate IAM credentials, so any user who can log in can exploit the endpoint. Exploitation is straightforward: send a GET request to /rustfs/admin/v3/metrics after authenticating. No additional conditions or configuration changes are required, making it easily exploitable for any authenticated user.
OpenCVE Enrichment