CVE-2024-12747 — Race Condition in Samba Rsync

CWE-362 — Race Condition9 documents8 sources

Severity

5.6MEDIUMNVD

EPSS

0.0%

top 97.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samba Rsync

Timeline

PublishedJan 14

Latest updateJan 28

Description

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:NExploitability: 1.1 | Impact: 4.0

Affected Packages1 packages

▶Debiansamba/rsync< 3.2.3-4+deb11u2+3

🔴Vulnerability Details

GHSA

GHSA-gp7r-m4cc-qhwq: A flaw was found in rsync↗2025-01-14

▶

OSV

CVE-2024-12747: A flaw was found in rsync↗2025-01-14

▶

CVEList

Rsync: race condition in rsync handling symbolic links↗2025-01-14

▶

📋Vendor Advisories

Ubuntu

rsync vulnerabilities↗2025-01-28

▶

Red Hat

rsync: Race Condition in rsync Handling Symbolic Links↗2025-01-14

▶

Microsoft

Rsync: race condition in rsync handling symbolic links↗2025-01-14

▶

Ubuntu

rsync vulnerabilities↗2025-01-14

▶

Debian

CVE-2024-12747: rsync - A flaw was found in rsync. This vulnerability arises from a race condition durin...↗2024

▶