{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/83431?format=json","vulnerability_id":"VCID-wvbv-394j-8fcc","summary":"RustFS is a distributed object storage system built in Rust. From >= 1.0.0-alpha.1 to 1.0.0-alpha.79, invalid RPC signatures cause the server to log the shared HMAC secret (and expected signature), which exposes the secret to log readers and enables forged RPC calls. In crates/ecstore/src/rpc/http_auth.rs, the invalid signature branch logs sensitive data. This log line includes secret and expected_signature, both derived from the shared HMAC key. Any invalidly signed request triggers this path. The function is reachable from RPC and admin request handlers. This vulnerability is fixed in 1.0.0-alpha.80.","aliases":[{"alias":"CVE-2026-22782"},{"alias":"GHSA-333v-68xh-8mmq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37844?format=json","purl":"pkg:cargo/rustfs@1.0.0-alpha.80","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/rustfs@1.0.0-alpha.80"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37843?format=json","purl":"pkg:cargo/rustfs@1.0.0-alpha.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wvbv-394j-8fcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/rustfs@1.0.0-alpha.1"},{"url":"http://public2.vulnerablecode.io/api/packages/36579?format=json","purl":"pkg:cargo/rustfs@1.0.0-alpha.79","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-wvbv-394j-8fcc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:cargo/rustfs@1.0.0-alpha.79"}],"references":[{"reference_url":"https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560","reference_id":"6b2eebee1d07399ef02c0863bd515b4412a5a560","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:35:34Z/"}],"url":"https://github.com/rustfs/rustfs/commit/6b2eebee1d07399ef02c0863bd515b4412a5a560"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22782","reference_id":"CVE-2026-22782","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-22782"},{"reference_url":"https://github.com/advisories/GHSA-333v-68xh-8mmq","reference_id":"GHSA-333v-68xh-8mmq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-333v-68xh-8mmq"},{"reference_url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq","reference_id":"GHSA-333v-68xh-8mmq","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:35:34Z/"}],"url":"https://github.com/rustfs/rustfs/security/advisories/GHSA-333v-68xh-8mmq"},{"reference_url":"https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122","reference_id":"http_auth.rs#L115-L122","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-16T16:35:34Z/"}],"url":"https://github.com/rustfs/rustfs/blob/9e162b6e9ebb874cc1d06a7b33bc4a05786578aa/crates/ecstore/src/rpc/http_auth.rs#L115-L122"}],"weaknesses":[{"cwe_id":532,"name":"Insertion of Sensitive Information into Log File","description":"Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information."}],"exploits":[],"severity_range_score":"0.1 - 3","exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-wvbv-394j-8fcc"}