Date: Wed, 27 Jun 2018 11:40:47 +0200 From: Solar Designer <solar@...nwall.com> To: oss-security@...ts.openwall.com Cc: oss-security-list@...tactdaniel.net Subject: Re: rclone data exflitration / unauthorized API use Hi Daniel, On Tue, Jun 26, 2018 at 05:56:18PM -0700, oss-security-list@...tactdaniel.net wrote: > Due to it's reliance on vulnerable upstream vendor SDKs & APIs, all > current versions of 'rclone' are subject to a variety of attacks. > > This vulnerability is an instance of a class of security vulnerabilities > that affect a wide variety of software. Any API which has clients > perform actions on arbitrary URLs chosen by the API server will lead to > this class of attack becoming a concern. > > Current Google Cloud Storage SDKs/APIs, Backblaze B2 APIs, and Yandex > Disk APIs are affected. > > No CVE is presently assigned. > > Further details at: > https://www.danieldent.com/blog/restless-vulnerability-non-browser-cross-domain-http-request-attacks/ We have a policy here that while list postings may refer to external URLs, they must be complete on their own, and yours is not. Please see: http://oss-security.openwall.org/wiki/mailing-lists/oss-security#list-content-guidelines I'm attaching a text export of your blog post to this message. Next time, please do something like this on your own. Thanks, Alexander View attachment "restless-vuln.txt" of type "text/plain" (5799 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ