CVE-2024-52522

EPSS 0.03%
Veröffentlicht 15.11.2024 18:15:30
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 5

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerrclone

≫

Produkt rclone

Version >= 1.59.0, < 1.68.2

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.077

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.4	0	0	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-281 Improper Preservation of Permissions

The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.

CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

CWE-61 UNIX Symbolic Link (Symlink) Following

The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.

https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0

https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv

https://nvd.nist.gov/vuln/detail/CVE-2024-52522

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-52522

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-52522

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-52522