Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged
Permalink CVE-2024-12087
6.5 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): LOW
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): NONE
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 year, 2 months ago
Rsync: path traversal vulnerability in rsync

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.

References

Affected products

rhcos
rsync
  • *
  • =<3.3.0
discovery/discovery-ui-rhel9
  • *
registry.redhat.io/discovery/discovery-ui-rhel9
  • *

Matching in nixpkgs

pkgs.rsync

Fast incremental file transfer utility

pkgs.grsync

Synchronize folders, files and make backups

pkgs.rrsync

Helper to run rsync-only environments from ssh-logins

pkgs.librsync

Implementation of the rsync remote-delta algorithm

pkgs.diskrsync

Rsync for block devices and disk images

Package maintainers