csaf_suse - suse-su-2025:0991-1

Vulnerability from csaf_suse

Published

2025-03-24 13:56

Modified

2025-03-24 13:56

Summary

Security update for rsync

Notes

Title of the patch

Security update for rsync

Description of the patch

This update for rsync fixes the following issues: - CVE-2024-12747: Fixed race condition in handling symbolic links (bsc#1235475) - Broken rsyncd after protocol bump, regression reported (bsc#1237187). - Bump protocol version to 32 - make it easier to show server is patched.

Patchnames

SUSE-2025-991,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-991,SUSE-SUSE-MicroOS-5.1-2025-991,SUSE-SUSE-MicroOS-5.2-2025-991,SUSE-Storage-7.1-2025-991

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
   document: {
      aggregate_severity: {
         namespace: "https://www.suse.com/support/security/rating/",
         text: "moderate",
      },
      category: "csaf_security_advisory",
      csaf_version: "2.0",
      distribution: {
         text: "Copyright 2024 SUSE LLC. All rights reserved.",
         tlp: {
            label: "WHITE",
            url: "https://www.first.org/tlp/",
         },
      },
      lang: "en",
      notes: [
         {
            category: "summary",
            text: "Security update for rsync",
            title: "Title of the patch",
         },
         {
            category: "description",
            text: "This update for rsync fixes the following issues:\n\n- CVE-2024-12747: Fixed race condition in handling symbolic links (bsc#1235475)\n\n- Broken rsyncd after protocol bump, regression reported (bsc#1237187).\n- Bump protocol version to 32 - make it easier to show server is patched. \n\n",
            title: "Description of the patch",
         },
         {
            category: "details",
            text: "SUSE-2025-991,SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-991,SUSE-SLE-Product-SLES_SAP-15-SP3-2025-991,SUSE-SUSE-MicroOS-5.1-2025-991,SUSE-SUSE-MicroOS-5.2-2025-991,SUSE-Storage-7.1-2025-991",
            title: "Patchnames",
         },
         {
            category: "legal_disclaimer",
            text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
            title: "Terms of use",
         },
      ],
      publisher: {
         category: "vendor",
         contact_details: "https://www.suse.com/support/security/contact/",
         name: "SUSE Product Security Team",
         namespace: "https://www.suse.com/",
      },
      references: [
         {
            category: "external",
            summary: "SUSE ratings",
            url: "https://www.suse.com/support/security/rating/",
         },
         {
            category: "self",
            summary: "URL of this CSAF notice",
            url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2025_0991-1.json",
         },
         {
            category: "self",
            summary: "URL for SUSE-SU-2025:0991-1",
            url: "https://www.suse.com/support/update/announcement/2025/suse-su-20250991-1/",
         },
         {
            category: "self",
            summary: "E-Mail link for SUSE-SU-2025:0991-1",
            url: "https://lists.suse.com/pipermail/sle-security-updates/2025-March/020585.html",
         },
         {
            category: "self",
            summary: "SUSE Bug 1235475",
            url: "https://bugzilla.suse.com/1235475",
         },
         {
            category: "self",
            summary: "SUSE Bug 1237187",
            url: "https://bugzilla.suse.com/1237187",
         },
         {
            category: "self",
            summary: "SUSE CVE CVE-2024-12747 page",
            url: "https://www.suse.com/security/cve/CVE-2024-12747/",
         },
      ],
      title: "Security update for rsync",
      tracking: {
         current_release_date: "2025-03-24T13:56:41Z",
         generator: {
            date: "2025-03-24T13:56:41Z",
            engine: {
               name: "cve-database.git:bin/generate-csaf.pl",
               version: "1",
            },
         },
         id: "SUSE-SU-2025:0991-1",
         initial_release_date: "2025-03-24T13:56:41Z",
         revision_history: [
            {
               date: "2025-03-24T13:56:41Z",
               number: "1",
               summary: "Current version",
            },
         ],
         status: "final",
         version: "1",
      },
   },
   product_tree: {
      branches: [
         {
            branches: [
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rsync-3.2.3-150000.4.36.1.aarch64",
                        product: {
                           name: "rsync-3.2.3-150000.4.36.1.aarch64",
                           product_id: "rsync-3.2.3-150000.4.36.1.aarch64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "aarch64",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rsync-3.2.3-150000.4.36.1.i586",
                        product: {
                           name: "rsync-3.2.3-150000.4.36.1.i586",
                           product_id: "rsync-3.2.3-150000.4.36.1.i586",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "i586",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rsync-3.2.3-150000.4.36.1.ppc64le",
                        product: {
                           name: "rsync-3.2.3-150000.4.36.1.ppc64le",
                           product_id: "rsync-3.2.3-150000.4.36.1.ppc64le",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "ppc64le",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rsync-3.2.3-150000.4.36.1.s390x",
                        product: {
                           name: "rsync-3.2.3-150000.4.36.1.s390x",
                           product_id: "rsync-3.2.3-150000.4.36.1.s390x",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "s390x",
               },
               {
                  branches: [
                     {
                        category: "product_version",
                        name: "rsync-3.2.3-150000.4.36.1.x86_64",
                        product: {
                           name: "rsync-3.2.3-150000.4.36.1.x86_64",
                           product_id: "rsync-3.2.3-150000.4.36.1.x86_64",
                        },
                     },
                  ],
                  category: "architecture",
                  name: "x86_64",
               },
               {
                  branches: [
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                        product: {
                           name: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                           product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sle_hpc-ltss:15:sp3",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server 15 SP3-LTSS",
                        product: {
                           name: "SUSE Linux Enterprise Server 15 SP3-LTSS",
                           product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles-ltss:15:sp3",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                        product: {
                           name: "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                           product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:sles_sap:15:sp3",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Micro 5.1",
                        product: {
                           name: "SUSE Linux Enterprise Micro 5.1",
                           product_id: "SUSE Linux Enterprise Micro 5.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-microos:5.1",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Linux Enterprise Micro 5.2",
                        product: {
                           name: "SUSE Linux Enterprise Micro 5.2",
                           product_id: "SUSE Linux Enterprise Micro 5.2",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:suse-microos:5.2",
                           },
                        },
                     },
                     {
                        category: "product_name",
                        name: "SUSE Enterprise Storage 7.1",
                        product: {
                           name: "SUSE Enterprise Storage 7.1",
                           product_id: "SUSE Enterprise Storage 7.1",
                           product_identification_helper: {
                              cpe: "cpe:/o:suse:ses:7.1",
                           },
                        },
                     },
                  ],
                  category: "product_family",
                  name: "SUSE Linux Enterprise",
               },
            ],
            category: "vendor",
            name: "SUSE",
         },
      ],
      relationships: [
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.aarch64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.aarch64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.ppc64le as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.ppc64le",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.s390x as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.s390x",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Linux Enterprise Server 15 SP3-LTSS",
               product_id: "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server 15 SP3-LTSS",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.ppc64le as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.ppc64le",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.ppc64le",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Linux Enterprise Server for SAP Applications 15 SP3",
               product_id: "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Server for SAP Applications 15 SP3",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.aarch64 as component of SUSE Linux Enterprise Micro 5.1",
               product_id: "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.aarch64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.1",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.s390x as component of SUSE Linux Enterprise Micro 5.1",
               product_id: "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.s390x",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.1",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Linux Enterprise Micro 5.1",
               product_id: "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.1",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.aarch64 as component of SUSE Linux Enterprise Micro 5.2",
               product_id: "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.aarch64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.aarch64",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.s390x as component of SUSE Linux Enterprise Micro 5.2",
               product_id: "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.s390x",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.s390x",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Linux Enterprise Micro 5.2",
               product_id: "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Linux Enterprise Micro 5.2",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.aarch64 as component of SUSE Enterprise Storage 7.1",
               product_id: "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.aarch64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.aarch64",
            relates_to_product_reference: "SUSE Enterprise Storage 7.1",
         },
         {
            category: "default_component_of",
            full_product_name: {
               name: "rsync-3.2.3-150000.4.36.1.x86_64 as component of SUSE Enterprise Storage 7.1",
               product_id: "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.x86_64",
            },
            product_reference: "rsync-3.2.3-150000.4.36.1.x86_64",
            relates_to_product_reference: "SUSE Enterprise Storage 7.1",
         },
      ],
   },
   vulnerabilities: [
      {
         cve: "CVE-2024-12747",
         ids: [
            {
               system_name: "SUSE CVE Page",
               text: "https://www.suse.com/security/cve/CVE-2024-12747",
            },
         ],
         notes: [
            {
               category: "general",
               text: "A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.",
               title: "CVE description",
            },
         ],
         product_status: {
            recommended: [
               "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.aarch64",
               "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.x86_64",
               "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
               "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
               "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.aarch64",
               "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.s390x",
               "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.x86_64",
               "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.aarch64",
               "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.s390x",
               "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.x86_64",
               "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
               "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.ppc64le",
               "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.s390x",
               "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
               "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.ppc64le",
               "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.x86_64",
            ],
         },
         references: [
            {
               category: "external",
               summary: "CVE-2024-12747",
               url: "https://www.suse.com/security/cve/CVE-2024-12747",
            },
            {
               category: "external",
               summary: "SUSE Bug 1233760 for CVE-2024-12747",
               url: "https://bugzilla.suse.com/1233760",
            },
            {
               category: "external",
               summary: "SUSE Bug 1235475 for CVE-2024-12747",
               url: "https://bugzilla.suse.com/1235475",
            },
         ],
         remediations: [
            {
               category: "vendor_fix",
               details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
               product_ids: [
                  "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.ppc64le",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.ppc64le",
                  "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.x86_64",
               ],
            },
         ],
         scores: [
            {
               cvss_v3: {
                  baseScore: 6.3,
                  baseSeverity: "MEDIUM",
                  vectorString: "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
                  version: "3.1",
               },
               products: [
                  "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Enterprise Storage 7.1:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Micro 5.1:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Micro 5.2:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.aarch64",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.ppc64le",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.s390x",
                  "SUSE Linux Enterprise Server 15 SP3-LTSS:rsync-3.2.3-150000.4.36.1.x86_64",
                  "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.ppc64le",
                  "SUSE Linux Enterprise Server for SAP Applications 15 SP3:rsync-3.2.3-150000.4.36.1.x86_64",
               ],
            },
         ],
         threats: [
            {
               category: "impact",
               date: "2025-03-24T13:56:41Z",
               details: "moderate",
            },
         ],
         title: "CVE-2024-12747",
      },
   ],
}

CVE-2024-12747 (GCVE-0-2024-12747)

Vulnerability from cvelistv5

Published

2025-01-14 17:39

Modified

2025-03-15 00:15

Severity ?

5.6 (Medium) - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Summary

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

References

▼	URL	Tags
	https://access.redhat.com/errata/RHSA-2025:2600	vendor-advisory, x_refsource_REDHAT
	https://access.redhat.com/security/cve/CVE-2024-12747	vdb-entry, x_refsource_REDHAT
	https://bugzilla.redhat.com/show_bug.cgi?id=2332968	issue-tracking, x_refsource_REDHAT
	https://kb.cert.org/vuls/id/952657

Impacted products

Vendor

Product

Version

▼

Version: 0 ≤ 3.3.0

Red Hat	Red Hat Enterprise Linux 8	Unaffected: 0:3.1.3-21.el8_10 < * cpe:/o:redhat:enterprise_linux:8::baseos
Red Hat	Red Hat Enterprise Linux 6	cpe:/o:redhat:enterprise_linux:6
Red Hat	Red Hat Enterprise Linux 7	cpe:/o:redhat:enterprise_linux:7
Red Hat	Red Hat Enterprise Linux 9	cpe:/o:redhat:enterprise_linux:9
Red Hat	Red Hat OpenShift Container Platform 4	cpe:/a:redhat:openshift:4

Show details on NVD website

JSON

To clipboard

{
   containers: {
      adp: [
         {
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-12747",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "no",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2025-01-14T18:38:10.199669Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2025-01-14T18:38:36.602Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
      ],
      cna: {
         affected: [
            {
               collectionURL: "https://github.com/RsyncProject/rsync",
               defaultStatus: "unaffected",
               packageName: "rsync",
               versions: [
                  {
                     lessThanOrEqual: "3.3.0",
                     status: "affected",
                     version: "0",
                     versionType: "semver",
                  },
               ],
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:8::baseos",
               ],
               defaultStatus: "affected",
               packageName: "rsync",
               product: "Red Hat Enterprise Linux 8",
               vendor: "Red Hat",
               versions: [
                  {
                     lessThan: "*",
                     status: "unaffected",
                     version: "0:3.1.3-21.el8_10",
                     versionType: "rpm",
                  },
               ],
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:6",
               ],
               defaultStatus: "unknown",
               packageName: "rsync",
               product: "Red Hat Enterprise Linux 6",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:7",
               ],
               defaultStatus: "unknown",
               packageName: "rsync",
               product: "Red Hat Enterprise Linux 7",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/o:redhat:enterprise_linux:9",
               ],
               defaultStatus: "affected",
               packageName: "rsync",
               product: "Red Hat Enterprise Linux 9",
               vendor: "Red Hat",
            },
            {
               collectionURL: "https://access.redhat.com/downloads/content/package-browser/",
               cpes: [
                  "cpe:/a:redhat:openshift:4",
               ],
               defaultStatus: "affected",
               packageName: "rhcos",
               product: "Red Hat OpenShift Container Platform 4",
               vendor: "Red Hat",
            },
         ],
         credits: [
            {
               lang: "en",
               value: "Red Hat would like to thank Aleksei Gorban \"loqpa\" for reporting this issue.",
            },
         ],
         datePublic: "2025-01-14T15:06:00.000Z",
         descriptions: [
            {
               lang: "en",
               value: "A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.",
            },
         ],
         metrics: [
            {
               other: {
                  content: {
                     namespace: "https://access.redhat.com/security/updates/classification/",
                     value: "Moderate",
                  },
                  type: "Red Hat severity rating",
               },
            },
            {
               cvssV3_1: {
                  attackComplexity: "HIGH",
                  attackVector: "LOCAL",
                  availabilityImpact: "NONE",
                  baseScore: 5.6,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "HIGH",
                  integrityImpact: "NONE",
                  privilegesRequired: "LOW",
                  scope: "CHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
                  version: "3.1",
               },
               format: "CVSS",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-362",
                     description: "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2025-03-15T00:15:23.593Z",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               name: "RHSA-2025:2600",
               tags: [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/errata/RHSA-2025:2600",
            },
            {
               tags: [
                  "vdb-entry",
                  "x_refsource_REDHAT",
               ],
               url: "https://access.redhat.com/security/cve/CVE-2024-12747",
            },
            {
               name: "RHBZ#2332968",
               tags: [
                  "issue-tracking",
                  "x_refsource_REDHAT",
               ],
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2332968",
            },
            {
               url: "https://kb.cert.org/vuls/id/952657",
            },
         ],
         timeline: [
            {
               lang: "en",
               time: "2024-12-18T07:12:52.493000+00:00",
               value: "Reported to Red Hat.",
            },
            {
               lang: "en",
               time: "2025-01-14T15:06:00+00:00",
               value: "Made public.",
            },
         ],
         title: "Rsync: race condition in rsync handling symbolic links",
         workarounds: [
            {
               lang: "en",
               value: "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
            },
         ],
         x_redhatCweChain: "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')",
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2024-12747",
      datePublished: "2025-01-14T17:39:16.031Z",
      dateReserved: "2024-12-18T06:49:21.481Z",
      dateUpdated: "2025-03-15T00:15:23.593Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
}

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

Vulnerability from csaf_suse

CVE-2024-12747 (GCVE-0-2024-12747)

Vulnerability from cvelistv5

Tags

Sightings

Nomenclature