Description
The parse_arguments function in options.c in rsyncd in rsync before 3.1.3 does not prevent multiple --protect-args uses, which allows remote attackers to bypass an argument-sanitization protection mechanism.
Exploits (1)
References (9)
Core 9
Core References
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/01/msg00021.html
Various Sources x_refsource_confirm
https://git.samba.org/rsync.git/?p=rsync.git%3Ba=commit%3Bh=7706303828fcde524222babb2833864a4bd09e07
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1040276
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3543-1/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201805-04
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/102803
Release Notes, Vendor Advisory x_refsource_confirm
https://download.samba.org/pub/rsync/src-previews/rsync-3.1.3pre1-NEWS
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/03/msg00027.html
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/11/msg00028.html
Scores
CVSS v3
7.5
EPSS
0.1007
EPSS Percentile
93.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (7)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
17.10
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
samba/rsync
< 3.1.3
Published
Jan 17, 2018
Tracked Since
Feb 18, 2026