CVE-2018-12907

HIGH

rclone 1.42 - Unauthenticated Exposure of Sensitive Information via Google Cloud Storage API URL Field

Title source: llm
STIX 2.1

Description

In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.

References (2)

Core 2
Core References
Mailing List, Third Party Advisory x_refsource_misc
http://openwall.com/lists/oss-security/2018/06/27/3

Scores

CVSS v3 7.5
EPSS 0.0131
EPSS Percentile 67.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-200
Status published
Products (1)
rclone/rclone 1.42
Published Jun 27, 2018
Tracked Since Feb 18, 2026