Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Starting in version 1.48.0 and prior to version 1.73.5, the RC endpoint operations/fsinfo is exposed without AuthRequired: true and accepts attacker-controlled fs input. Because rc.GetFs(...) supports inline backend definitions, an unauthenticated attacker can instantiate an attacker-controlled backend on demand. For the WebDAV backend, bearer_token_command is executed during backend initialization, making single-request unauthenticated local command execution possible on reachable RC deployments without global HTTP authentication. Version 1.73.5 patches the issue.
1.60.1+dfsg-41.60.1+dfsg-4ubuntu11.60.1+dfsg-4ubuntu21.60.1+dfsg-4ubuntu2.11.60.1+dfsg-4ubuntu21.60.1+dfsg-4ubuntu31.60.1+dfsg-4ubuntu3.11.60.1+dfsg-2build11.60.1+dfsg-31.60.1+dfsg-3ubuntu0.24.04.11.60.1+dfsg-3ubuntu0.24.04.21.60.1+dfsg-3ubuntu0.24.04.31.60.1+dfsg-3ubuntu0.24.04.41.60.1+dfsg-3ubuntu0.24.04.4+esm11.60.1+dfsg-3ubuntu0.24.04.5Exploitability
AV:NAC:LAT:PPR:NUI:NVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:NCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N