CVE-2024-12747
5.6
MEDIUM
CVSS 3.1
EPSS 0.01%
Description
A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.
How to fix CVE-2024-12747
To remediate CVE-2024-12747, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.0-r0 or later
- —upgrade to 3.2.3-4+deb11u2 or later
Is CVE-2024-12747 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.4.0-r0
- from 0, < 3.2.3-4+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.6 | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N |