RustFS Unauthenticated License Metadata Exposure Vulnerability

A vulnerability exists in RustFS versions through 1.0.0-beta.1, where the console endpoint GET /rustfs/console/license can be accessed without authentication. This endpoint, part of the console listener, delivers JSON-formatted license information, including the license subject and expiration timestamp. Any client with access to the console listener can query this endpoint without credentials. The vulnerability is addressed in RustFS version 1.0.0-beta.2.

Impact

Exploitation of this vulnerability allows any unauthenticated client with access to the RustFS console listener to read license metadata, including sensitive information about the organization or customer identity and license expiration details. This could facilitate targeted reconnaissance against the exposed console deployment.

Reproduction

To reproduce this vulnerability, send a GET request to the /rustfs/console/license endpoint on a RustFS console listener running a version prior to 1.0.0-beta.2. The response will include parsed license metadata without requiring authentication. In a fresh RustFS instance, the response will contain empty values, but with a configured license, it will display the license subject and expiration timestamp.

Remediation

Update RustFS to version 1.0.0-beta.2 or later. If an immediate update is not possible, restrict network access to the RustFS console listener to prevent exposure to untrusted clients.