oss-sec mailing list archives
rclone data exflitration / unauthorized API use
From: oss-security-list () contactdaniel net
Date: Tue, 26 Jun 2018 17:56:18 -0700
Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all current versions of 'rclone' are subject to a variety of attacks.
This vulnerability is an instance of a class of security vulnerabilities that affect a wide variety of software. Any API which has clients perform actions on arbitrary URLs chosen by the API server will lead to this class of attack becoming a concern.
Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex Disk APIs are affected.
No CVE is presently assigned.Further details at: https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/
-- Daniel Dent https://www.danieldent.com/
Current thread:
- rclone data exflitration / unauthorized API use oss-security-list (Jun 27)
- Re: rclone data exflitration / unauthorized API use Solar Designer (Jun 27)