Vulnerability DatabaseCVE-2024-12087

CVE-2024-12087:
rsync vulnerability analysis and mitigation

Overview

A path traversal vulnerability (CVE-2024-12087) was discovered in rsync affecting versions prior to 3.4.0. The vulnerability stems from behavior enabled by the --inc-recursive option, which is default-enabled for many client options and can be enabled by the server even if not explicitly enabled by the client (CERT VU, NVD). The vulnerability was disclosed on January 14, 2025.

Technical details

The vulnerability occurs when using the --inc-recursive option, where a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis creates a security weakness. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) (NVD, Fortra).

Impact

When exploited, this vulnerability could allow a malicious server to write files outside of the client's intended destination directory. The server could write malicious files to arbitrary locations named after valid directories/paths on the client system (NVD, CERT VU).

Mitigation and workarounds

Users are advised to upgrade to rsync version 3.4.0 or later, as this version addresses the vulnerability. Organizations should prioritize updating all instances of rsync in their environment to the patched version (Fortra).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a Wiz customer?

Request vulnerability assessment

7.5

Score

Published January 14, 2025

Severity HIGH

CNA Score 6.5

Affected Technologies

rsync
Rocky Linux

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 68.9

Exploitation Probability (EPSS) 0.6

Affected packages and libraries

rsync-doc
rsync

Sources

NVD
AlmaLinux Security Advisory
- AlmaLinux 8 Severity MEDIUMHas FixAdded at: Mar 19, 2025
Alpine Security Tracker
- Alpine 3.18, 3.19, 3.20, 3.21, edge Severity HIGHHas FixAdded at: Jan 16, 2025
- Alpine 3.22 Severity HIGHHas FixAdded at: Jun 01, 2025
CBL-Mariner
- CBL-Mariner 2.0 Severity MEDIUMHas FixAdded at: Jan 26, 2025
- CBL-Mariner 3.0 Severity MEDIUMHas FixAdded at: May 04, 2025
Container-Optimized OS Release Notes
- Container-Optimized OS Severity HIGHHas FixAdded at: Jan 26, 2025
Debian Security Tracker
- Debian 11, 12, 13 Severity HIGHHas FixAdded at: Jan 15, 2025
Gentoo Advisory Database
- Gentoo Severity HIGHHas FixAdded at: Jan 16, 2025
Homebrew
- Homebrew Severity HIGHNo FixAdded at: Jun 22, 2025
Nix
- Nix Severity HIGHNo FixAdded at: Jun 22, 2025
Photon Security Advisory
- Photon 4.0, 5.0 Severity MEDIUMHas FixAdded at: Jan 19, 2025
Red Hat Errata
- Red Hat 6, 7 Severity MEDIUMNo FixAdded at: Jan 14, 2025
- Red Hat 8 Severity MEDIUMHas FixAdded at: Jan 15, 2025
- Red Hat 9 Severity MEDIUMHas FixAdded at: Jan 15, 2025
- Red Hat 10 Severity MEDIUMNo FixAdded at: May 23, 2025
Rocky Linux Product Errata
- Rocky 8 Severity MEDIUMHas FixAdded at: May 11, 2025
Ubuntu Security Tracker
- Ubuntu 16.04, 18.04, 20.04, 22.04, 24.04 Severity MEDIUMHas FixAdded at: Jan 15, 2025
- Ubuntu 24.10 Severity MEDIUMHas FixAdded at: Feb 02, 2025