Insufficient Environment Variable Sanitization in rsync Affects Debian and Ubuntu
CVE-2019-3464

9.8CRITICAL

Key Information:

Vendor
Debian Gnu/linux
Status
Rssh
Vendor
CVE Published:
6 February 2019

Summary

The vulnerability in rsync stems from insufficient sanitization of environment variables. This issue allows attackers to bypass the restrictions enforced by the rssh shell, which is designed to limit users to rsync operations only. Consequently, this flaw can lead to arbitrary shell command execution, posing significant security risks for systems relying on these components.

Affected Version(s)

rssh All versions before 2.3.4-5+deb9u2 and 2.3.4-10

References

https://www.debian.org/security/2019/dsa-4382
vendor-advisoryx_refsource_DEBIAN
https://lists.debian.org/debian-lts-announce/2019/02/msg0...
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/106839
vdb-entryx_refsource_BID

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.