Lookup for vulnerabilities affecting packages.
| Vulnerability_id | VCID-7rrj-tgy7-zqhn |
|---|
| Summary | RustFS is a distributed object storage system built in Rust. Prior to 1.0.0-beta.2, the internode RPC layer authenticates every request with an HMAC-SHA256 signature using a shared secret. The function that produces this secret, get_shared_secret() in crates/ecstore/src/rpc/http_auth.rs, falls back to the public, source-tree-embedded DEFAULT_SECRET_KEY = "rustfsadmin" when neither the RUSTFS_RPC_SECRET environment variable nor the global S3 secret key has been configured. This vulnerability is fixed in 1.0.0-beta.2. |
|---|
| Aliases |
|
|---|
| Fixed_packages |
|
|---|
| Affected_packages |
|
|---|
| References |
|
|---|
| Weaknesses |
| 0 |
| cwe_id |
798 |
| name |
Use of Hard-coded Credentials |
| description |
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. |
|
| 1 |
| cwe_id |
1392 |
| name |
Use of Default Credentials |
| description |
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
|
|
|---|
| Exploits |
|
|---|
| Severity_range_score | 9.8 - 9.8 |
|---|
| Exploitability | null |
|---|
| Weighted_severity | null |
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/vulnerabilities/VCID-7rrj-tgy7-zqhn |
|---|