CVE-2024-12088

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-12088
A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

6.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://access.redhat.com/errata/RHSA-2025:2600 Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:7050 Third Party Advisory
https://access.redhat.com/errata/RHSA-2025:8385 Third Party Advisory
https://access.redhat.com/security/cve/CVE-2024-12088 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2330676 Issue Tracking Third Party Advisory
https://kb.cert.org/vuls/id/952657 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:discovery:1.14:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.6_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.6:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:o:gentoo:linux:-:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:nixos:nixos:*:*:*:*:*:*:*:*

Configuration 6 (hide)

cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*

Configuration 7 (hide)

cpe:2.3:o:tritondatacenter:smartos:*:*:*:*:*:*:*:*

Configuration 8 (hide)

OR cpe:2.3:o:almalinux:almalinux:8.0:-:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:10.0:-:*:*:*:*:*:*
History

03 Nov 2025, 22:16

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html -
  • () https://www.kb.cert.org/vuls/id/952657 -

03 Nov 2025, 21:16

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20250131-0002/ -

12 Aug 2025, 21:15

Type Values Removed Values Added
CWE CWE-35

18 Jun 2025, 16:29

Type Values Removed Values Added
CWE CWE-22
References () https://access.redhat.com/errata/RHSA-2025:2600 - () https://access.redhat.com/errata/RHSA-2025:2600 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2025:7050 - () https://access.redhat.com/errata/RHSA-2025:7050 - Third Party Advisory
References () https://access.redhat.com/errata/RHSA-2025:8385 - () https://access.redhat.com/errata/RHSA-2025:8385 - Third Party Advisory
References () https://access.redhat.com/security/cve/CVE-2024-12088 - () https://access.redhat.com/security/cve/CVE-2024-12088 - Third Party Advisory
References () https://bugzilla.redhat.com/show_bug.cgi?id=2330676 - () https://bugzilla.redhat.com/show_bug.cgi?id=2330676 - Issue Tracking, Third Party Advisory
References () https://kb.cert.org/vuls/id/952657 - () https://kb.cert.org/vuls/id/952657 - Third Party Advisory
References () https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj - () https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj - Third Party Advisory
First Time Redhat
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat enterprise Linux For Power Little Endian
Archlinux arch Linux
Samba rsync
Redhat enterprise Linux For Arm 64 Eus
Redhat enterprise Linux Server Aus
Redhat enterprise Linux Eus
Redhat enterprise Linux For Arm 64
Redhat enterprise Linux Update Services For Sap Solutions
Almalinux
Redhat openshift Container Platform
Gentoo
Redhat enterprise Linux For Ibm Z Systems
Nixos
Nixos nixos
Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
Novell
Novell suse Linux
Tritondatacenter
Samba
Archlinux
Redhat discovery
Tritondatacenter smartos
Gentoo linux
Redhat enterprise Linux For Power Little Endian Eus
Almalinux almalinux
Redhat enterprise Linux
CPE cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:archlinux:arch_linux:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:tritondatacenter:smartos:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:novell:suse_linux:-:*:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:8.0:-:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.6_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:nixos:nixos:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_update_services_for_sap_solutions:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:10.0:-:*:*:*:*:*:*
cpe:2.3:a:redhat:discovery:1.14:*:*:*:*:*:*:*
cpe:2.3:o:gentoo:linux:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:almalinux:almalinux:9.0:-:*:*:*:*:*:*

02 Jun 2025, 15:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:8385 -

13 May 2025, 10:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:7050 -

11 Mar 2025, 04:15

Type Values Removed Values Added
References
  • () https://access.redhat.com/errata/RHSA-2025:2600 -

26 Feb 2025, 15:15

Type Values Removed Values Added
References
  • () https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj -

10 Feb 2025, 12:15

Type Values Removed Values Added
Summary
  • (es) Se encontró un fallo en rsync. Al usar la opción `--safe-links`, rsync no verifica correctamente si un destino de enlace simbólico contiene otro enlace simbólico dentro de él. Esto genera una vulnerabilidad de Path Traversal, que puede provocar la escritura arbitraria de archivos fuera del directorio deseado.
Summary (en) A flaw was found in rsync. When using the `--safe-links` option, rsync fails to properly verify if a symbolic link destination contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory. (en) A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

14 Jan 2025, 22:15

Type Values Removed Values Added
References
  • () https://kb.cert.org/vuls/id/952657 -

14 Jan 2025, 18:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-01-14 18:15

Updated : 2025-11-03 22:16

NVD link : CVE-2024-12088

Mitre link : CVE-2024-12088

CVE.ORG link : CVE-2024-12088

JSON object : View

Products Affected

redhat

  • enterprise_linux_for_ibm_z_systems
  • enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions
  • enterprise_linux_eus
  • enterprise_linux
  • enterprise_linux_for_arm_64
  • enterprise_linux_for_ibm_z_systems_eus
  • discovery
  • enterprise_linux_for_arm_64_eus
  • enterprise_linux_for_power_little_endian
  • enterprise_linux_update_services_for_sap_solutions
  • openshift_container_platform
  • enterprise_linux_server_aus
  • enterprise_linux_for_power_little_endian_eus

nixos

  • nixos

tritondatacenter

  • smartos

archlinux

  • arch_linux

gentoo

  • linux

novell

  • suse_linux

samba

  • rsync

almalinux

  • almalinux
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')