#VU37002 Information disclosure in rclone
Vulnerability identifier: #VU37002
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
rclone
Other software /
Other software solutions
Vendor: rclone.org
Description
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
Mitigation
Install update from vendor's website.
Vulnerable software versions
rclone: 1.42
External links
http://openwall.com/lists/oss-security/2018/06/27/3
http://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
