漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
RustFS missing admin authorization on notification target endpoints, which allows unauthenticated configuration of event webhooks
Vulnerability Description
RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-alpha.94, all four notification target admin API endpoints in `rustfs/src/admin/handlers/event.rs` use a `check_permissions` helper that validates authentication only (access key + session token), without performing any admin-action authorization via `validate_admin_request`. Every other admin handler in the codebase correctly calls `validate_admin_request` with a specific `AdminAction`. This is the only admin handler file that skips authorization. A non-admin user can overwrite a shared admin-defined notification target by name, causing subsequent bucket events to be delivered to an attacker-controlled endpoint. This enables cross-user event interception and audit evasion. 1.0.0-alpha.94 contains a patch.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
Vulnerability Type
授权机制缺失
Vulnerability Title
rustfs 安全漏洞
Vulnerability Description
rustfs是RustFS开源的一个高性能对象存储系统。 rustfs 1.0.0-alpha.94之前版本存在安全漏洞,该漏洞源于事件通知目标管理API端点缺少管理员操作授权检查,可能导致非管理员用户覆盖共享的管理员定义的通知目标,造成跨用户事件拦截和审计规避。
CVSS Information
N/A
Vulnerability Type
N/A