CVE-2024-52522— Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

N/A

在文件访问前对链接解析不恰当(链接跟随)

Rclone 安全漏洞

Rclone是Rclone团队的一个可以从云存储异步同步数据的软件。该软件支持 Google Drive, Amazon Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Cloudfiles, Google Cloud Storage, Yandex Files等云存储。 Rclone存在安全漏洞，该漏洞源于对符号链接的 --links 和 --metadata 处理不安全。

N/A

N/A