File Enumeration Vulnerability in rsync by Red Hat
CVE-2024-12086

6.1MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 6; Red Hat Enterprise Linux 7; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9
Vendor: CVE Published:; 14 January 2025

Summary

A vulnerability in rsync has been identified that allows a server to expose the contents of files located on a client's machine. This issue arises during the process of file synchronization, where the rsync server transmits checksums of its local files to a client for comparison, determining which files need to be transferred. By exploiting this vulnerability, an attacker can craft specific checksum values to coax the rsync server into divulging sensitive information about arbitrary files. This enables a potential attacker to reconstruct the data from these files byte by byte, posing a significant risk to the integrity and confidentiality of sensitive information.

References

https://access.redhat.com/security/cve/CVE-2024-12086

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2330577

issue-trackingx_refsource_REDHAT

https://kb.cert.org/vuls/id/952657

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 14, 2025
Vulnerability Reserved
Dec 3, 2024

Credit

Red Hat would like to thank Jasiel Spelman (Google), Pedro Gallegos (Google), and Simon Scannell (Google) for reporting this issue.