CVE-2024-12086

Summary

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

Affected Software

VendorProductVersion RangeStatus
0 <= 3.3.0affected
Red HatRed Hat Enterprise Linux 100:3.4.1-2.el10 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.2.5-7.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 90:3.2.5-7.el9_8 < *unaffected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Support0:3.2.5-3.el9_6.1 < *unaffected
Red HatRed Hat Discovery 21782166952 < *unaffected

Weaknesses

  • CWE-390: Detection of Error Condition Without Action

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

CVE Program Container

Additional References

References