BIT-rclone-2024-52522

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/rclone/BIT-rclone-2024-52522.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-rclone-2024-52522

Aliases

Published

2024-11-19T07:18:21.819Z

Modified

2024-11-19T17:59:14.612889Z

Summary

[none]

Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

References

Affected packages

Bitnami / rclone

Package

Name: rclone
Purl: pkg:bitnami/rclone

Severity

5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

1.59.0

Fixed

1.68.2