Threonine

**Name of the Vulnerable Software and Affected Versions** RustFS versions prior to 1.0.0-alpha.79 **Description** RustFS is a distributed object storage system built in Rust. The `ImportIam` API endpoint incorrectly validates permissions using `ExportIAMAction` instead of `ImportIAMAction`. This allows a principal with only export IAM permissions to perform import operations. Importing IAM data involves privileged write actions, including the creation or modification of users, groups, policies, and service accounts, potentially leading to unauthorized IAM modification and privilege escalation. **Recommendations** Update to version 1.0.0-alpha.79 or later.

**Name of the Vulnerable Software and Affected Versions** RustFS versions 1.0.0-alpha.13 through 1.0.0-alpha.78 **Description** RustFS is a distributed object storage system built in Rust. A flaw in the `deny only` short-circuit within RustFS IAM allows a restricted service account or STS credential to create an unrestricted service account, gaining the parent’s full privileges. This enables privilege escalation and bypasses session or inline policy restrictions. The vulnerable component is the RustFS IAM system, specifically the `deny only` short-circuit logic. **Recommendations** Versions prior to 1.0.0-alpha.79 are affected and should be updated to version 1.0.0-alpha.79 or later.