CVE-2024-12087

Published Jan 14, 2025

Last updated 25 days ago

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-12087 is a path traversal vulnerability found in the rsync utility. This vulnerability is related to the `--inc-recursive` option, which is enabled by default for many client options and can also be enabled by the server. The vulnerability arises from insufficient symlink verification combined with deduplication checks performed on each file list. This allows a malicious server to write files outside the client's intended directory, potentially placing malicious files in arbitrary locations disguised as valid directories or paths on the client system.

Description: A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
Source: secalert@redhat.com
NVD status: Awaiting Analysis

Risk scores

CVSS 3.1

Type: Secondary
Base score: 6.5
Impact score: 3.6
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Severity: MEDIUM

Weaknesses

secalert@redhat.com: CWE-35

Hype score: Not currently trending

Overview

AI description

Risk scores

CVSS 3.1

Weaknesses

Social media

References