CVE-2018-12907
HIGHrclone 1.42 - Unauthenticated Exposure of Sensitive Information via Google Cloud Storage API URL Field
Title source: llmDescription
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
References (2)
Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2018/06/27/3
Mitigation, Third Party Advisory x_refsource_misc
https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
Scores
CVSS v3
7.5
EPSS
0.0131
EPSS Percentile
67.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
rclone/rclone
1.42
Published
Jun 27, 2018
Tracked Since
Feb 18, 2026