Summary: A set of critical vulnerabilities in Rsync, a widely used file synchronization tool, has been disclosed, which could lead to remote code execution and unauthorized data access. Security researchers have identified five high-risk vulnerabilities, with some capable of being exploited together for more significant impacts. Users are urged to upgrade to Rsync version 3.4.0 to mitigate these risks.
Affected: Rsync, Rclone, DeltaCopy, ChronoSync, and other backup solutions
Keypoints :
- Five vulnerabilities disclosed: CVE-2024-12084, CVE-2024-12085, CVE-2024-12086, CVE-2024-12087, CVE-2024-12088.
- CVE-2024-12084 (CVSS 9.8): Heap-buffer-overflow allowing code execution.
- CVE-2024-12085 (CVSS 7.5): Information leak that potentially reveals sensitive data.
- CVE-2024-12086 (CVSS 6.1): File leak vulnerability enabling extraction of arbitrary files.
- CVE-2024-12087 (CVSS 6.5): External directory file-write vulnerability allowing unauthorized file writes.
- CVE-2024-12088 (CVSS 6.5): Safe-links bypass vulnerability permitting path traversal and file writes.
- Combination of CVE-2024-12084 and CVE-2024-12085 can lead to powerful exploits with anonymous access.
- Version 3.4.0 has been released to address these vulnerabilities.