Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.
History

Fri, 22 Nov 2024 12:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L'}


Sat, 16 Nov 2024 02:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Fri, 15 Nov 2024 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Fri, 15 Nov 2024 17:30:00 +0000

Type Values Removed Values Added
Description Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.
Title Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata
Weaknesses CWE-281
CWE-59
CWE-61
References
Metrics cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-11-15T17:15:43.357Z

Updated: 2024-11-21T14:56:00.193Z

Reserved: 2024-11-11T18:49:23.559Z

Link: CVE-2024-52522

cve-icon Vulnrichment

Updated: 2024-11-15T18:25:52.467Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-11-15T18:15:30.643

Modified: 2024-11-21T15:15:33.637

Link: CVE-2024-52522

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-11-15T17:15:43Z

Links: CVE-2024-52522 - Bugzilla