A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2025:2600 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2025:7050 | Third Party Advisory |
https://access.redhat.com/errata/RHSA-2025:8385 | Third Party Advisory |
https://access.redhat.com/security/cve/CVE-2024-12087 | Third Party Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2330672 | Issue Tracking Third Party Advisory |
https://kb.cert.org/vuls/id/952657 | Third Party Advisory |
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj | Exploit Third Party Advisory |
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
Configuration 4 (hide)
|
Configuration 5 (hide)
|
Configuration 6 (hide)
|
Configuration 7 (hide)
|
Configuration 8 (hide)
|
History
20 Jun 2025, 18:28
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-22 | |
First Time |
Suse suse Linux
Redhat Redhat enterprise Linux For Ibm Z Systems Eus Redhat enterprise Linux For Power Little Endian Archlinux arch Linux Samba rsync Redhat enterprise Linux For Arm 64 Eus Redhat enterprise Linux Server Aus Redhat enterprise Linux Eus Redhat enterprise Linux For Arm 64 Redhat enterprise Linux Update Services For Sap Solutions Almalinux Gentoo Nixos Redhat enterprise Linux For Ibm Z Systems Nixos nixos Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Tritondatacenter Samba Archlinux Suse Tritondatacenter smartos Gentoo linux Redhat enterprise Linux For Power Little Endian Eus Almalinux almalinux Redhat enterprise Linux |
|
References | () https://access.redhat.com/errata/RHSA-2025:2600 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2025:7050 - Third Party Advisory | |
References | () https://access.redhat.com/errata/RHSA-2025:8385 - Third Party Advisory | |
References | () https://access.redhat.com/security/cve/CVE-2024-12087 - Third Party Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2330672 - Issue Tracking, Third Party Advisory | |
References | () https://kb.cert.org/vuls/id/952657 - Third Party Advisory | |
References | () https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj - Exploit, Third Party Advisory | |
CPE | cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.6_ppc64le:*:*:*:*:*:*:* cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:* cpe:2.3:o:tritondatacenter:smartos:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_aus:9.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:* cpe:2.3:o:almalinux:almalinux:8.0:-:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.6_ppc64le:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.6_aarch64:*:*:*:*:*:*:* cpe:2.3:o:nixos:nixos:*:*:*:*:*:*:*:* cpe:2.3:o:suse:suse_linux:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.6:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_eus:9.6:*:*:*:*:*:*:* cpe:2.3:o:almalinux:almalinux:10.0:-:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.6_s390x:*:*:*:*:*:*:* cpe:2.3:o:gentoo:linux:-:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:* cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:* cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:* |
02 Jun 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
13 May 2025, 10:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
11 Mar 2025, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
26 Feb 2025, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Summary |
|
14 Jan 2025, 22:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
14 Jan 2025, 18:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2025-01-14 18:15
Updated : 2025-06-20 18:28
NVD link : CVE-2024-12087
Mitre link : CVE-2024-12087
CVE.ORG link : CVE-2024-12087
JSON object : View
Products Affected
redhat
- enterprise_linux_eus
- enterprise_linux_for_ibm_z_systems_eus
- enterprise_linux_update_services_for_sap_solutions
- enterprise_linux_for_arm_64_eus
- enterprise_linux_for_power_little_endian_eus
- enterprise_linux_for_arm_64
- enterprise_linux_for_power_little_endian
- enterprise_linux_for_ibm_z_systems
- enterprise_linux_server_aus
- enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
- enterprise_linux
samba
- rsync
almalinux
- almalinux
nixos
- nixos
gentoo
- linux
tritondatacenter
- smartos
suse
- suse_linux
archlinux
- arch_linux