CVE-2024-12088

MEDIUM

rsync < 3.3.0 - Path Traversal and Arbitrary File Write via Symbolic Link Verification Bypass

Title source: llm
STIX 2.1

Description

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

References (11)

Core 11
Core References
Third Party Advisory
https://kb.cert.org/vuls/id/952657
Third Party Advisory, US Government Resource
https://www.kb.cert.org/vuls/id/952657
Vendor Advisory vendor-advisory x_refsource_redhat
RHBA-2025:6470
https://access.redhat.com/errata/RHBA-2025:6470
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:2600
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:7050
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2025:8385
Third Party Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-12088
Issue Tracking, Third Party Advisory issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2330676

Scores

CVSS v3 6.5
EPSS 0.0289
EPSS Percentile 86.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-22
Status published
Products (36)
almalinux/almalinux 8.0
almalinux/almalinux 9.0
almalinux/almalinux 10.0
archlinux/arch_linux
gentoo/linux
nixos/nixos < 24.11
novell/suse_linux
Red Hat/Red Hat Discovery 1.14 sha256:492e412759cf0eedfa5b557f7b0865f8864f84d0ed75e11dc8d7a840837d9644
Red Hat/Red Hat Enterprise Linux 10 0:3.4.1-2.el10
Red Hat/Red Hat Enterprise Linux 6
... and 26 more
Published Jan 14, 2025
Tracked Since Feb 18, 2026