Upstream information

CVE-2024-52522 at MITRE

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  CNA (CISA-ADP)
Base Score 5.5
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality Impact Low
Integrity Impact Low
Availability Impact Low
CVSSv3 Version 3.1
CVSS v4 Scores
  CNA (GitHub)
Base Score 5.4
Vector CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User Interaction Active
Vulnerable System Confidentiality Impact High
Vulnerable System Integrity Impact High
Vulnerable System Availability Impact High
Subsequent System Confidentiality Impact Low
Subsequent System Integrity Impact Low
Subsequent System Availability Impact Low
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1233422 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • govulncheck-vulndb >= 0.0.20241119T173509-1.1
  • rclone >= 1.68.2-2.1
  • rclone-bash-completion >= 1.68.2-2.1
  • rclone-zsh-completion >= 1.68.2-2.1
Patchnames:
openSUSE-Tumbleweed-2024-14513
openSUSE-Tumbleweed-2024-14524


SUSE Timeline for this CVE

CVE page created: Fri Nov 15 20:00:37 2024
CVE page last modified: Thu Dec 12 00:59:53 2024