CVE-2024-12088: 
rsync vulnerability analysis and mitigation

A vulnerability (CVE-2024-12088) was discovered in rsync affecting the --safe-links option functionality. The flaw exists in the rsync client's verification process when handling symbolic link destinations sent from the server. The vulnerability was disclosed on January 14, 2025, and affects rsync versions prior to 3.4.0 (NVD, Ubuntu Blog).

The vulnerability occurs when the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This path traversal vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N. The vulnerability is classified as CWE-35 (Path Traversal) (NVD, Sysdig Blog).

When exploited, this vulnerability may lead to arbitrary file writes outside the desired directory. This means an attacker could potentially write files to unauthorized locations on the client system when using the --safe-links option (NVD, CERT VU).

The vulnerability has been fixed in rsync version 3.4.0. Users are advised to upgrade their rsync installations to this version or later. Multiple Linux distributions have released security updates to address this vulnerability, including Ubuntu, Red Hat, and SUSE. For Ubuntu systems, users can update using the command 'sudo apt update && sudo apt upgrade' (Ubuntu Blog).