Rand-Tech

**Name of the Vulnerable Software and Affected Versions** RustFS versions 1.0.0-alpha.1 through 1.0.0-alpha.79 **Description** RustFS is a distributed object storage system built in Rust. Invalid RPC signatures cause the server to log the shared HMAC secret and the expected signature. This exposes the secret to log readers, potentially enabling forged RPC calls. The issue resides in the `crates/ecstore/src/rpc/http auth.rs` file, specifically within the invalid signature branch, where sensitive data is logged. Any invalidly signed request triggers this logging, and the function is accessible from RPC and admin request handlers. The logged information includes the `secret` and `expected signature`, both derived from the shared HMAC key. **Recommendations** Upgrade to RustFS version 1.0.0-alpha.80 or later.