RustFS Missing Authorization in Multipart Copy Allows Cross-Bucket Data Exfiltration

A vulnerability in RustFS prior to version alpha.90 allows low-privileged users to exfiltrate objects from victim buckets by copying them into an attacker-controlled multipart upload. This issue arises from a missing authorization check in the multipart copy process, breaking tenant isolation in multi-user deployments. The vulnerability is present in all versions from commit '09ea11c13' through 'c1d5106acc3480c275a52344df84633bb6dcd8f0', and likely any releases containing those commits'

Impact

Exploitation of this vulnerability enables unauthorized cross-bucket data exfiltration, allowing attackers to access objects from victim buckets without the necessary permissions. This breach of tenant isolation can lead to the exposure of sensitive information.

Reproduction

The vulnerability can be reproduced by uploading a private object to a victim bucket, then using an attacker-controlled bucket to initiate a multipart upload. The 'UploadPartCopy' operation can be performed without proper authorization checks, allowing the attacker to copy the victim's object into their own bucket. Once the multipart upload is completed, the exfiltrated object can be retrieved from the attacker's bucket, demonstrating the unauthorized access.

Remediation

Users are advised to update to RustFS version alpha.90 or later, where this vulnerability has been fixed.