Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-12088

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Published

2025-01-14T18:15:25.643

Last Modified

2025-06-18T16:29:29.573

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 6.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-35
Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	samba	rsync	≤ 3.3.0	Yes
Application	redhat	discovery	1.14	Yes
Application	redhat	openshift_container_platform	4.0	Yes
Operating System	redhat	enterprise_linux	6.0	Yes
Operating System	redhat	enterprise_linux	7.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Operating System	redhat	enterprise_linux	9.0	Yes
Operating System	redhat	enterprise_linux	10.0	Yes
Operating System	redhat	enterprise_linux_eus	9.6	Yes
Operating System	redhat	enterprise_linux_for_arm_64	8.0_aarch64	Yes
Operating System	redhat	enterprise_linux_for_arm_64	9.0_aarch64	Yes
Operating System	redhat	enterprise_linux_for_arm_64_eus	9.6_aarch64	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems	8.0_s390x	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems	9.0_s390x	Yes
Operating System	redhat	enterprise_linux_for_ibm_z_systems_eus	9.6_s390x	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian	8.0_ppc64le	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian	9.0_ppc64le	Yes
Operating System	redhat	enterprise_linux_for_power_little_endian_eus	9.6_ppc64le	Yes
Operating System	redhat	enterprise_linux_server_aus	9.6	Yes
Operating System	redhat	enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions	9.6_ppc64le	Yes
Operating System	redhat	enterprise_linux_update_services_for_sap_solutions	9.6	Yes
Operating System	archlinux	arch_linux	-	Yes
Operating System	gentoo	linux	-	Yes
Operating System	nixos	nixos	< 24.11	Yes
Operating System	novell	suse_linux	-	Yes
Operating System	tritondatacenter	smartos	< 20250123	Yes
Operating System	almalinux	almalinux	8.0	Yes
Operating System	almalinux	almalinux	9.0	Yes
Operating System	almalinux	almalinux	10.0	Yes

References

https://access.redhat.com/errata/RHSA-2025:2600 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2025:7050 Third Party Advisory ([email protected])
https://access.redhat.com/errata/RHSA-2025:8385 Third Party Advisory ([email protected])
https://access.redhat.com/security/cve/CVE-2024-12088 Third Party Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=2330676 Issue Tracking, Third Party Advisory ([email protected])
https://kb.cert.org/vuls/id/952657 Third Party Advisory ([email protected])
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj Third Party Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)