BIT-rclone-2024-52522

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/rclone/BIT-rclone-2024-52522.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-rclone-2024-52522

Aliases

Published

2024-11-19T07:18:21.819Z

Modified

2024-11-27T19:40:48.342Z

Summary

[none]

Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

Database specific

{
    "cpes": [
        "cpe:2.3:a:rclone:rclone:*:*:*:*:*:go:*:*"
    ],
    "severity": "Unknown"
}

References

Affected packages

Bitnami / rclone

Package

Name: rclone
Purl: pkg:bitnami/rclone

Affected ranges

Type: SEMVER
Events: Introduced

1.59.0

Fixed

1.68.2