In Rclone 1.42, use of "rclone sync" to migrate data between two Google Cloud Storage buckets might allow attackers to trigger the transmission of any URL's content to Google, because there is no validation of a URL field received from the Google Cloud Storage API server, aka a "RESTLESS" issue.
References
Link | Resource |
---|---|
http://openwall.com/lists/oss-security/2018/06/27/3 | Mailing List Third Party Advisory |
https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/ | Mitigation Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2018-06-27T13:00:00
Updated: 2018-06-27T13:57:01
Reserved: 2018-06-27T00:00:00
Link: CVE-2018-12907
JSON object: View
NVD Information
Status : Analyzed
Published: 2018-06-27T13:29:00.263
Modified: 2018-08-31T16:10:53.150
Link: CVE-2018-12907
JSON object: View
Redhat Information
No data.
CWE