CVE-2024-12087
Published: 14 January 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2024-12087 is a path traversal vulnerability (CWE-22) in rsync, published on 2025-01-14. The issue arises from the --inc-recursive option, which is default-enabled for many client configurations and can be enabled by the server even if not explicitly requested by the client. When this option is in use, inadequate symlink verification combined with deduplication checks performed on a per-file-list basis allows a server to write files outside the client's intended destination directory to arbitrary locations named after valid client directories or paths.
A malicious rsync server can exploit this vulnerability against a client connecting to it, provided the --inc-recursive option is active. The attack requires no privileges (PR:N) and low complexity (AC:L) over the network (AV:N), but involves user interaction (UI:R), with a CVSS v3.1 base score of 6.5 (C:N/I:H/A:N/S:U). Successful exploitation enables the server to write malicious files to arbitrary locations on the client filesystem.
Red Hat has released multiple errata addressing this vulnerability, including RHBA-2025:6470, RHSA-2025:23154, RHSA-2025:23235, RHSA-2025:23407, and RHSA-2025:23415.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The path traversal and symlink handling vulnerabilities (CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) in rsync allow a malicious server to write arbitrary files outside the intended client destination directory, facilitating ingress tool transfer (T1105) and exploitation of the rsync client application for potential execution of dropped malicious payloads (T1203).