CVE-2024-52522

MEDIUM

Rclone < 1.68.2 - Symlink Following

Title source: rule

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

References (2)

[Vendor Advisory] https://github.com/rclone/rclone/security/advisories/GHSA-hrxh-9w67-g4cv

[Patch] https://github.com/rclone/rclone/commit/01ccf204f42b4f68541b16843292439090a2dcf0

View Patch ZIP pw:eip

Scores

CVSS v4 5.4

EPSS 0.0003

EPSS Percentile 7.7%

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-281 CWE-59 CWE-61

Status published

Products (2)

rclone/rclone 1.59.0 - 1.68.2Go

rclone/rclone >= 1.59.0, < 1.68.2

Published Nov 15, 2024

Tracked Since Feb 18, 2026