Two independent groups of researchers have identified a total of 6 vulnerabilities in rsync. In the most severe CVE, an attacker only requires anonymous read access to a rsync server, such as a public mirror, to execute arbitrary code on the machine the server is running on.
- CVE-2024-12088: Rsync: –safe-links option bypass leads to path traversal
- CVE-2024-12087: Rsync: path traversal vulnerability in rsync
- CVE-2024-12085: Rsync: info leak via uninitialized stack contents
- CVE-2024-12084: No description available.
- CVE-2024-12747: Rsync: race condition in rsync handling symbolic links
- CVE-2024-12086: Rsync: rsync server leaks arbitrary client files
For more information on these vulnerabilities, please refer to the following resources:
https://vulnerability.circl.lu/bundle/d938dc28-6877-40db-ad5f-25f3051288e6
cubessa.io 