Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2024-12087

Опубликовано: 14 янв. 2025
Источник: nvd
CVSS3: 6.5
CVSS3: 7.5
EPSS Низкий

Описание

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the --inc-recursive option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the --inc-recursive option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

Ссылки

Уязвимые конфигурации

Конфигурация 1
cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
Версия до 3.3.0 (включая)
Конфигурация 2

Одно из

cpe:2.3:o:almalinux:almalinux:8.0:-:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:10.0:-:*:*:*:*:*:*
Конфигурация 3
cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*
Конфигурация 4
cpe:2.3:o:gentoo:linux:-:*:*:*:*:*:*:*
Конфигурация 5
cpe:2.3:o:nixos:nixos:*:*:*:*:*:*:*:*
Версия до 24.11 (исключая)
Конфигурация 6
cpe:2.3:o:suse:suse_linux:-:*:*:*:*:*:*:*
Конфигурация 7
cpe:2.3:o:tritondatacenter:smartos:*:*:*:*:*:*:*:*
Версия до 20250123 (исключая)
Конфигурация 8

Одно из

cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.6_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.6:*:*:*:*:*:*:*

EPSS

Процентиль: 70%
0.00661
Низкий

6.5 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-35
CWE-22

Связанные уязвимости

ubuntu логотип

CVE-2024-12087

CVSS3: 6.5
ubuntu
7 месяцев назад

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

redhat логотип

CVE-2024-12087

CVSS3: 6.5
redhat
7 месяцев назад

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

msrc логотип

CVE-2024-12087

CVSS3: 6.5
msrc
7 месяцев назад

Описание отсутствует

debian логотип

CVE-2024-12087

CVSS3: 6.5
debian
7 месяцев назад

A path traversal vulnerability exists in rsync. It stems from behavior ...

github логотип

GHSA-9x68-7qq6-v523

CVSS3: 6.5
github
7 месяцев назад

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

EPSS

Процентиль: 70%
0.00661
Низкий

6.5 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-35
CWE-22