CVE-2024-12085

CWE-908 — Use of Uninitialized Resource CWE-119 — Buffer Overflow14 documents9 sources

Severity

7.5HIGH

EPSS

19.1%

top 4.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nixos Nixos Samba Rsync Tritondatacenter Smartos +16 more

Timeline

PublishedJan 14

Latest updateFeb 10

Description

A flaw was found in rsync which could be triggered when rsync compares file checksums. This flaw allows an attacker to manipulate the checksum length (s2length) to cause a comparison between a checksum and uninitialized memory and leak one byte of uninitialized stack data at a time.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDsamba/rsync< 3.3.0

▶Debianrsync< 3.2.3-4+deb11u2+3

▶Ubuntursync< 3.1.3-8ubuntu0.8+5

▶NVDtritondatacenter/smartos< 20250123

▶NVDnixos/nixos< 24.11

Also affects: Almalinux 10.0, 8.0, 9.0, Enterprise Linux 8.0, 9.0, 8.8, 9.2, 9.4, 9.6, 8.2, 8.4, 8.6, Openshift Container Platform 4.12, 4.13, 4.14, 4.15, 4.16, 4.17

🔴Vulnerability Details

OSV

rsync regression↗2025-02-10

▶

OSV

rsync vulnerabilities↗2025-01-28

▶

OSV

rsync regression↗2025-01-16

▶

GHSA

GHSA-xh5q-pch5-g3xq: A flaw was found in the rsync daemon which could be triggered when rsync compares file checksums↗2025-01-14

▶

OSV

CVE-2024-12085: A flaw was found in rsync which could be triggered when rsync compares file checksums↗2025-01-14

▶

📋Vendor Advisories

Ubuntu

rsync vulnerabilities↗2025-01-28

▶

Red Hat

rsync: Info Leak via Uninitialized Stack Contents↗2025-01-14

▶

Ubuntu

rsync vulnerabilities↗2025-01-14

▶

Microsoft

Rsync: info leak via uninitialized stack contents↗2025-01-14

▶

Debian

CVE-2024-12085: rsync - A flaw was found in rsync which could be triggered when rsync compares file chec...↗2024

▶