Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HRclone
APPRclone1.46 – 1.74.3 (bez)
Related vulnerabilities
Rclone RC: pominięcie uwierzytelnienia przez endpoint options/set
Rclone: nieuwierzytelnione RCE przez endpoint RC operations/fsinfo
An issue was discovered in Rclone before 1.53.3. Due to the use of a weak random number generator, the passwor...
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow atta...