Summary: | net-misc/rclone: data exflitration / unauthorized API use | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Florian Schuhmacher <mynt1aa> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | perfinion |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/rclone/rclone/issues/2376 | ||
Whiteboard: | B4 [upstream cve] | ||
Package list: | Runtime testing required: | --- |
Description
Florian Schuhmacher
2018-06-27 11:34:42 UTC
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue. I've dropped everything lower than 1.45 Replacing URL with upstream bug. We're still waiting for a fix. So, upstream says: @kuraga to exploit this you need to MITM https traffic or compromise a cloud provider Is this really a valid issue? The upstream issue is closed after the reporter was unresponsive. Let's close due to upstream's concerns about validity. |