- 31/2025
- Critical
Rsync has released security updatesto fix several vulnerabilities affecting all Rsync versions up to and including version 3.4.0.
The addressed vulnerabilities could allow the attacker to obtain sensitive information, bypass security restrictions, gain elevated privileges, manipulate data, or execute arbitrary code and gain access to the affected systems.
Sample of the addressed vulnerabilities:
1. Rsync Heap Buffer Overflow Vulnerability (CVE-2024-12084):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Rsync Information Disclosure Vulnerability (CVE-2024-12085):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Obtain Information
Vulnerabilities
- CVE-2024-12084
- CVE-2024-12085
- CVE-2024-12086
- CVE-2024-12087
- CVE-2024-12088
- CVE-2024-12747
Mitigations
The enterprise should upgrade to the latest Rsync patches from the Rsync GitHub Repository and the Rsync Source Downloads and ensure users update their software promptly; any bundled software containing Rsync must also be kept current to address vulnerabilities.