Updated: 2025-06-19 04:03:56.859794
Description:
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.
| Links | NIST | CIRCL | RHEL | Ubuntu |
| Severity | Score | |
|---|---|---|
| CVSS Version 2.x | 0 | |
| CVSS Version 3.x | HIGH | 7.5 |
| OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
|---|---|---|---|---|---|---|---|---|
| AlmaLinux 9.2 ESU | rsync | 3.2.3 | 7.5 | HIGH | In Testing | 2025-07-05 02:24:14 | ||
| CentOS 6 ELS | rsync | 3.0.6 | 7.5 | HIGH | In Rollout | CLSA-2025:1751134987 | 2025-06-29 04:23:21 | |
| CentOS 7 ELS | rsync | 3.1.2 | 7.5 | HIGH | Released | CLSA-2025:1738852614 | 2025-02-20 06:41:15 | |
| CentOS 8.4 ELS | rsync | 3.1.3 | 7.5 | HIGH | Released | CLSA-2025:1737463274 | 2025-01-22 01:31:26 | |
| CentOS 8.5 ELS | rsync | 3.1.3 | 7.5 | HIGH | Released | CLSA-2025:1737464920 | 2025-01-22 01:31:28 | |
| CentOS Stream 8 ELS | rsync | 3.1.3 | 7.5 | HIGH | Released | CLSA-2025:1738632106 | 2025-02-06 06:36:37 | |
| CloudLinux 6 ELS | rsync | 3.0.6 | 7.5 | HIGH | Released | CLSA-2025:1751277418 | 2025-07-04 02:07:35 | |
| CloudLinux 7 ELS | rsync | 3.1.2 | 7.5 | HIGH | Released | CLSA-2025:1738834420 | 2025-02-20 06:41:13 | |
| Oracle Linux 6 ELS | rsync | 3.0.6 | 7.5 | HIGH | Released | CLSA-2025:1750781004 | 2025-06-25 02:55:34 | |
| Oracle Linux 7 ELS | rsync | 3.1.2 | 7.5 | HIGH | Released | CLSA-2025:1738833413 | 2025-02-07 06:35:48 |