Skandragon

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** The internode RPC layer authenticates requests using an HMAC-SHA256 signature with a shared secret. The function `get shared secret()` in crates/ecstore/src/rpc/http auth.rs defaults to a public, source-tree-embedded key `DEFAULT SECRET KEY` ("rustfsadmin") if the `RUSTFS RPC SECRET` environment variable and the global S3 secret key are not configured. **Recommendations** Update to version 1.0.0-beta.2. Configure the `RUSTFS RPC SECRET` environment variable or the global S3 secret key to avoid the use of the default secret key.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** The software includes a 2048-bit RSA private key as a string constant named `TEST PRIVATE KEY` within the file crates/appauth/src/token.rs. This key is utilized in production by the `parse license()` function to verify license tokens. Since the key is embedded in all published source releases and binaries, an attacker with access to the repository or binary can extract it to create arbitrary license tokens with any subject or expiration date. This bypasses the license-enforcement mechanism when the license Cargo feature is enabled. **Recommendations** Update to version 1.0.0-beta.2.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** When the `RUSTFS CORS ALLOWED ORIGINS` variable is unset, the S3 listener's ConditionalCorsLayer reflects any request Origin value back as Access-Control-Allow-Origin. It also sets Access-Control-Allow-Credentials: true and Access-Control-Allow-Headers: * on responses, including preflight and error responses. This creates a permissive cross-domain policy with untrusted origins, allowing a browser visiting an attacker-controlled page to issue credentialed cross-origin requests to a RustFS deployment. This enables the reading of responses when the victim browser possesses ambient credentials for the RustFS origin, such as saved HTTP Basic Auth credentials, reverse-proxy SSO cookies, or TLS client certificates. **Recommendations** Update to version 1.0.0-beta.2.

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-beta.2 **Description** The console endpoint "GET /rustfs/console/license" returns parsed license metadata, including the license subject and expiration timestamp in JSON format, without requiring authentication. Any client capable of reaching the console listener can query this endpoint without providing credentials. **Recommendations** Update to version 1.0.0-beta.2.