CVE-2024-52522: 
Rclone vulnerability analysis and mitigation

Rclone version 1.68.1 and earlier contains a vulnerability in the handling of symlinks when using --links and --metadata options while copying to local disk. The vulnerability (CVE-2024-52522) was discovered and disclosed on November 15, 2024, affecting the rclone command-line program used to sync files and directories between cloud storage providers. This vulnerability has been fixed in version 1.68.2 (GitHub Advisory).

The vulnerability stems from improper handling of symlinks when using both --links and --metadata options. When copying directories containing symlinks, rclone incorrectly applies chown and chmod operations to the target of the symlink instead of the symlink itself. The vulnerability has been assigned a CVSS v4.0 base score of 5.4 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L. The issue is related to multiple CWE categories including CWE-61 (UNIX Symbolic Link Following), CWE-281 (Improper Preservation of Permissions), and CWE-59 (Improper Link Resolution Before File Access) (GitHub Advisory, NVD).

The vulnerability allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy operation. This could enable privilege escalation and unauthorized access to critical system files (e.g., /etc/shadow), potentially compromising system integrity, confidentiality, and availability. The impact is particularly severe when rclone is run with elevated privileges (GitHub Advisory).

The vulnerability has been fixed in rclone version 1.68.2. Users should upgrade to this version or later. For those unable to upgrade immediately, the vulnerability can be avoided by not using the combination of --links and --metadata options when copying files to local storage, particularly when running rclone with elevated privileges (GitHub Advisory).