nvd-json-data-feeds/CVE-2024/CVE-2024-120xx/CVE-2024-12087.json

{
  "id": "CVE-2024-12087",
  "sourceIdentifier": "secalert@redhat.com",
  "published": "2025-01-14T18:15:25.467",
  "lastModified": "2025-03-11T04:15:23.443",
  "vulnStatus": "Awaiting Analysis",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad Path Traversal en rsync. Se origina en un comportamiento habilitado por la opci\u00f3n `--inc-recursive`, una opci\u00f3n habilitada de manera predeterminada para muchas opciones de cliente y que puede ser habilitada por el servidor incluso si no est\u00e1 habilitada expl\u00edcitamente por el cliente. Al usar la opci\u00f3n `--inc-recursive`, la falta de una verificaci\u00f3n de enlace simb\u00f3lico adecuada junto con las comprobaciones de deduplicaci\u00f3n que se realizan en una lista de archivos por archivo podr\u00eda permitir que un servidor escriba archivos fuera del directorio de destino previsto del cliente. Un servidor malintencionado podr\u00eda escribir archivos malintencionados en ubicaciones arbitrarias con nombres de directorios/rutas v\u00e1lidos en el cliente."
    }
  ],
  "metrics": {
    "cvssMetricV31": [
      {
        "source": "secalert@redhat.com",
        "type": "Secondary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "NONE",
          "userInteraction": "REQUIRED",
          "scope": "UNCHANGED",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "availabilityImpact": "NONE"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6
      }
    ]
  },
  "weaknesses": [
    {
      "source": "secalert@redhat.com",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-35"
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://access.redhat.com/errata/RHSA-2025:2600",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://access.redhat.com/security/cve/CVE-2024-12087",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2330672",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://kb.cert.org/vuls/id/952657",
      "source": "secalert@redhat.com"
    },
    {
      "url": "https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj",
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
    }
  ]
}