Rclone is a command-line program to sync files and directories to
and from different cloud storage providers.
From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD
requests to paths of the form: /[remote:path]/object.
The remote
value is parsed from the URL and passed to normal backend initialization.
Inline remote configuration can set backend options that execute
local commands during initialization.
As a result, a single
unauthenticated GET or HEAD request can execute a command as the
rclone process user.
Thanks to Nick Craig-Wood for reporting this vulnerability.