CVE-2024-52522

MEDIUM EPSS 11.7%

Published Nov 15, 20241y ago · Modified Jun 17, 20261w ago

5.4 CVSS 4.0

Medium

Published Nov 15, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

CVSS Details

Base Score

5.4

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Local

Attack Complexity Low

Privileges Required Low

User Interaction A

Scope X

Threat Intelligence

EPSS Exploit Probability

11.7% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 3

CWE-281

CWE-59

CWE-61

References 2

github.com https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0
github.com https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.