CVE-2024-52522 MEDIUM

CVE-2024-52522: Rclone Improper Permission and Ownership Handling on Symlink Targets with --links and --metadata

Vendor Rclone
Product rclone
Weakness CWE-59
Published November 15, 2024
Last update November 21, 2024

CVSS base score

5.4/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

Key dates

02Disclosure timeline

November 15, 2024 CVE published
November 21, 2024 Record updated