BIT-rclone-2024-52522

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/rclone/BIT-rclone-2024-52522.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-rclone-2024-52522
Aliases
Published
2024-11-19T07:18:21.819Z
Modified
2024-11-19T17:42:44.778906Z
Summary
[none]
Details

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

References

Affected packages

Bitnami / rclone

Package

Name
rclone
Purl
pkg:bitnami/rclone

Severity

  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
1.59.0
Fixed
1.68.2