GHSA-mm2q-qcmx-gw4w: RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover

ListServiceAccount (GET /rustfs/admin/v3/list-service-accounts?user=<other>) authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/service_account.rs:936. The handler accepts the wrong admin action and rejects the correct one:

• A user granted only admin:UpdateServiceAccount enumerates every service account in the cluster, including the root user’s (HTTP 200, full metadata).
• A user granted only admin:ListServiceAccounts — the permission name every IAM document treats as “list service accounts” — receives HTTP 403 AccessDenied on the same request.

Because service account access keys act as the identifier a UpdateServiceAccount holder needs to rotate a secret, and the UpdateServiceAccount handler at rustfs/src/admin/handlers/service_account.rs:489 performs no ownership check on the target access key, leaking those access keys lets a delegated “service account updater” role overwrite root-sa-1’s secret, authenticate as the root user’s service account, and create a persistent backdoor admin with admin:* + s3:*. Proven live end-to-end against rustfs/rustfs:latest (1.0.0-alpha.91, revision d4ea14c2) — the same revision is byte-identical on current origin/main.