CVE-2024-12088

CWE-22 — Path Traversal CWE-358 documents7 sources

Severity

7.5HIGH

EPSS

2.9%

top 13.69%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nixos Nixos Tritondatacenter Smartos Samba Rsync +14 more

Timeline

PublishedJan 14

Latest updateJan 28

Description

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶Debianrsync< 3.2.3-4+deb11u2+3

▶NVDsamba/rsync3.3.0

▶NVDnixos/nixos< 24.11

▶NVDtritondatacenter/smartos< 20250123

▶NVDredhat/discovery1.14

Also affects: Almalinux 10.0, 8.0, 9.0, Enterprise Linux 10.0, 6.0, 7.0, 8.0, 9.0, 9.6, Openshift Container Platform 4.0

🔴Vulnerability Details

OSV

CVE-2024-12088: A flaw was found in rsync↗2025-01-14

▶

CVEList

Rsync: --safe-links option bypass leads to path traversal↗2025-01-14

▶

GHSA

GHSA-ffph-g3pc-8r3g: A flaw was found in rsync↗2025-01-14

▶

📋Vendor Advisories

Ubuntu

rsync vulnerabilities↗2025-01-28

▶

Ubuntu

rsync vulnerabilities↗2025-01-14

▶

Red Hat

rsync: --safe-links option bypass leads to path traversal↗2025-01-14

▶

Debian

CVE-2024-12088: rsync - A flaw was found in rsync. When using the `--safe-links` option, the rsync clien...↗2024

▶