Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2018-12907 |
CWE-ID | CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
rclone Other software / Other software solutions |
Vendor | rclone.org |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU37002
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-12907
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
MitigationInstall update from vendor's website.
Vulnerable software versionsrclone: 1.42
External linkshttp://openwall.com/lists/oss-security/2018/06/27/3
http://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.