Medium severityOSV Advisory· Published Nov 15, 2024· Updated Apr 15, 2026
CVE-2024-52522
CVE-2024-52522
Description
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/rclone/rcloneGo | >= 1.59.0, < 1.68.2 | 1.68.2 |
Affected products
11- osv-coords10 versionspkg:apk/chainguard/rclonepkg:apk/chainguard/rclone-compatpkg:apk/chainguard/telegraf-1.32pkg:apk/wolfi/rclonepkg:apk/wolfi/rclone-compatpkg:apk/wolfi/telegraf-1.32pkg:bitnami/rclonepkg:golang/github.com/rclone/rclonepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rclone&distro=openSUSE%20Tumbleweed
< 1.68.2-r0+ 9 more
- (no CPE)range: < 1.68.2-r0
- (no CPE)range: < 1.68.2-r0
- (no CPE)range: < 1.32.3-r1
- (no CPE)range: < 1.68.2-r0
- (no CPE)range: < 1.68.2-r0
- (no CPE)range: < 1.32.3-r1
- (no CPE)range: >= 1.59.0, < 1.68.2
- (no CPE)range: >= 1.59.0, < 1.68.2
- (no CPE)range: < 0.0.20241119T173509-1.1
- (no CPE)range: < 1.68.2-2.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.