CVE-2024-12088

Updated: 2025-02-12 02:41:08.259863

Description:

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x NONE 0
CVSS Version 3.x MEDIUM 6.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

AlmaLinux 9.2 ESU rsync 3.2.3 6.5 MEDIUM Ignored 2025-01-18 22:04:46
CentOS 7 ELS rsync 3.1.2 6.5 MEDIUM In Rollout CLSA-2025:1738852614 2025-02-07 11:23:02
CentOS 8.4 ELS rsync 3.1.3 6.5 MEDIUM Released CLSA-2025:1737463274 2025-01-22 01:31:26
CentOS 8.5 ELS rsync 3.1.3 6.5 MEDIUM Released CLSA-2025:1737464920 2025-01-22 01:31:28
CentOS Stream 8 ELS rsync 3.1.3 6.5 MEDIUM Released CLSA-2025:1738632106 2025-02-06 06:36:37
CloudLinux 7 ELS rsync 3.1.2 6.5 MEDIUM In Rollout CLSA-2025:1738834420 2025-02-07 06:35:49
Oracle Linux 7 ELS rsync 3.1.2 6.5 MEDIUM Released CLSA-2025:1738833413 2025-02-07 06:35:48
Ubuntu 16.04 ELS rsync 3.1.1-3 6.5 MEDIUM Released CLSA-2025:1738632046 2025-02-05 02:15:18
Ubuntu 18.04 ELS rsync 3.1.2-2.1 6.5 MEDIUM Released CLSA-2025:1738632064 2025-02-05 02:15:19