RustFS's Missing Post Policy Validation leads to Arbitrary Object Write
RustFS is a distributed object storage system built in Rust. In versions 1.0.0-alpha.56 through 1.0.0-alpha.82, RustFS does not validate policy conditions in presigned POST uploads (PostObject), allowing attackers to bypass content-length-range, starts-with, and Content-Type constraints. This enables unauthorized file uploads exceeding size limits, uploads to arbitrary object keys, and content-type spoofing, potentially leading to storage exhaustion, unauthorized data access, and security bypasses. Version 1.0.0-alpha.83 fixes the issue.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-20 | CWE-20: Improper Input Validation |
| CWE | CWE-863 | CWE-863: Incorrect Authorization |
Type: CWE
Description: CWE-20: Improper Input Validation
Type: CWE
Description: CWE-863: Incorrect Authorization
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 8.1 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |
Version: 3.1
Base score: 8.1
Base severity: HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H