Vulnerability Details : CVE-2018-12907
In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
Vulnerability category: Information leak
Products affected by CVE-2018-12907
- cpe:2.3:a:rclone:rclone:1.42:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-12907
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 51 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-12907
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-12907
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-12907
-
https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
The RESTLESS Vulnerability: Non-Browser Based Cross-Domain HTTP Request Attacks - Daniel DentMitigation;Third Party Advisory
-
http://openwall.com/lists/oss-security/2018/06/27/3
oss-security - rclone data exflitration / unauthorized API useMailing List;Third Party Advisory
Jump to