RustFS Notification Target Admin API Authorization Bypass Vulnerability

An authorization bypass vulnerability has been identified in RustFS, a distributed object storage system, in versions prior to 1.0.0-alpha.94. The issue arises in all four notification target admin API endpoints, which only validate authentication without proper admin-action authorization. This flaw allows non-admin users to overwrite shared admin-defined notification targets, redirecting bucket event deliveries to attacker-controlled endpoints. Such exploitation facilitates cross-user event interception and evasion of audit trails.

Impact

Exploitation of this vulnerability allows for unauthorized configuration of event webhooks, interception of bucket events, and evasion of audit logs by deleting or overwriting notification targets.

Reproduction

The vulnerability can be reproduced by sending requests to the affected notification target admin API endpoints as a non-admin user. The 'check_permissions' helper will authenticate the request but fail to authorize the admin action. This allows the user to overwrite an existing notification target, which will then receive bucket events intended for the original target.

Remediation

Users can upgrade to RustFS version 1.0.0-alpha.94 or later, where this vulnerability has been patched.