CVE-2024-52522

CVE-2024-52522 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-59.

Key facts

Description

Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.

Frequently asked questions

What is CVE-2024-52522?
Rclone is a command-line program to sync files and directories to and from different cloud storage providers. Insecure handling of symlinks with --links and --metadata in rclone while copying to local disk allows unprivileged users to indirectly modify ownership and permissions on symlink target files when a superuser or privileged process performs a copy. This vulnerability could enable privilege escalation and unauthorized access to critical system files, compromising system integrity, confidentiality, and availability. This vulnerability is fixed in 1.68.2.
How severe is CVE-2024-52522?
CVE-2024-52522 has a CVSS 4.0 base score of 5.4, rated medium severity.
Is CVE-2024-52522 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (12th percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2024-52522?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2024-52522 have an EU (EUVD) identifier?
Yes. CVE-2024-52522 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-3358.
When was CVE-2024-52522 published?
CVE-2024-52522 was published on 2024-11-15 and last updated on 2026-06-17.

References

Other CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities

Browse all CWE-59 (Improper Link Resolution Before File Access (Link Following)) vulnerabilities →