Upstream information
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
CNA (CISA-ADP) | |
---|---|
Base Score | 5.5 |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | Low |
User Interaction | Required |
Scope | Unchanged |
Confidentiality Impact | Low |
Integrity Impact | Low |
Availability Impact | Low |
CVSSv3 Version | 3.1 |
CNA (GitHub) | |
---|---|
Base Score | 5.4 |
Vector | CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Attack Vector | Local |
Attack Complexity | Low |
Attack Requirements | Present |
Privileges Required | Low |
User Interaction | Active |
Vulnerable System Confidentiality Impact | High |
Vulnerable System Integrity Impact | High |
Vulnerable System Availability Impact | High |
Subsequent System Confidentiality Impact | Low |
Subsequent System Integrity Impact | Low |
Subsequent System Availability Impact | Low |
CVSSv4 Version | 4.0 |
SUSE Security Advisories:
- openSUSE-SU-2024:14513-1, published Thu Nov 21 18:50:24 2024
List of released packages
Product(s) | Fixed package version(s) | References |
---|---|---|
openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2024-14513 |
SUSE Timeline for this CVE
CVE page created: Fri Nov 15 20:00:37 2024CVE page last modified: Thu Nov 21 19:59:26 2024