Rsync Certificate Validation Flaw in Version 3.2.0pre1 and Beyond
CVE-2020-14387

7.4HIGH

Key Information:

Vendor: Samba
Status: Rsync
Vendor: CVE Published:; 27 May 2021

What is CVE-2020-14387?

A security issue has been identified in Rsync affecting versions starting from 3.2.0pre1, involving improper validation of certificates during the rsync-ssl operation. This vulnerability could allow a remote, unauthenticated attacker to execute a man-in-the-middle attack by utilizing a valid certificate for a different hostname. Consequently, this flaw poses a significant risk to the confidentiality and integrity of the data being transmitted, as data could be intercepted and manipulated without detection. Users are advised to upgrade to version 3.2.4 or later to mitigate these risks.

Affected Version(s)

rsync rsync 3.2.4

References

https://bugzilla.redhat.com/show_bug.cgi?id=1875549

x_refsource_MISC

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2021
Vulnerability Reserved
Jun 17, 2020

Samba

What is CVE-2020-14387?

Affected Version(s)

References

CVSS V3.1

Timeline