CVE-2024-12088NVD

Vulnerability Summary

A flaw was found in rsync. When using the `--safe-links` option, the rsync client fails to properly verify if a symbolic link destination sent from the server contains another symbolic link within it. This results in a path traversal vulnerability, which may lead to arbitrary file write outside the desired directory.

Severity Level

MEDIUM(6.5)

Published Date

Jan 14, 2025

Last Modified

Apr 14, 2026

Exploitation Status

????

EPSS Score (30-Day)

2.89%Probability

Root Weakness (CWE)

CWE-22: Path Traversal ↗

The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory.

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionRequired

ScopeUnchanged

ConfidentialityNone

IntegrityHigh

AvailabilityNone

External References

https://access.redhat.com/errata/RHBA-2025:6470
https://access.redhat.com/errata/RHSA-2025:2600
https://access.redhat.com/errata/RHSA-2025:7050
https://access.redhat.com/errata/RHSA-2025:8385
https://access.redhat.com/security/cve/CVE-2024-12088
https://bugzilla.redhat.com/show_bug.cgi?id=2330676
https://kb.cert.org/vuls/id/952657
https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
https://security.netapp.com/advisory/ntap-20250131-0002/
https://www.kb.cert.org/vuls/id/952657
https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj

Critical Alert 1 Active Exploit Detected Today

CVE Watchtower

CVE-2024-12088NVD

Vulnerability Summary

External References