Rsync
Monthly
Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.
Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.
Use-after-free in rsync 3.0.1 through 3.4.1 allows authenticated remote attackers to compromise confidentiality, integrity, and availability when the victim runs rsync with extended attribute support (-X/--xattrs) enabled. The vulnerability stems from qsort operations on untrusted length values during extended attribute processing, with Linux systems in common configurations being widely vulnerable, and non-Linux platforms facing even broader exposure. EPSS probability is negligible (0.01%, 3rd percentile) with no confirmed active exploitation (SSVC: none) and publicly available exploit code not identified, suggesting this is a patch-now-but-not-emergency priority despite the 7.4 CVSS score.
A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Local privilege escalation in Rsync daemon (versions ≤ 3.4.2) is possible via a TOCTOU symlink race when the daemon is configured with 'use chroot = no'. An authenticated local attacker with write access to a module can swap a parent directory component for a symlink between the receiver's path check and its open() call, redirecting writes outside the module and overwriting sensitive files. No public exploit identified at time of analysis, but the upstream patch in release 3.4.3 and a detailed VulnCheck advisory disclose the precise race window.
Stack memory corruption in rsync before 3.4.3 allows network-positioned attackers to write a null byte past the end of a fixed-size stack buffer in the establish_proxy_connection() function in socket.c. The vulnerability is only reachable when the RSYNC_PROXY environment variable is set and an attacker controls or intercepts traffic to the configured HTTP proxy. Impact is constrained to a low-severity availability disruption (process crash) with no confidentiality or integrity exposure; no public exploit has been identified at time of analysis.
Use-after-free in rsync 3.0.1 through 3.4.1 allows authenticated remote attackers to compromise confidentiality, integrity, and availability when the victim runs rsync with extended attribute support (-X/--xattrs) enabled. The vulnerability stems from qsort operations on untrusted length values during extended attribute processing, with Linux systems in common configurations being widely vulnerable, and non-Linux platforms facing even broader exposure. EPSS probability is negligible (0.01%, 3rd percentile) with no confirmed active exploitation (SSVC: none) and publicly available exploit code not identified, suggesting this is a patch-now-but-not-emergency priority despite the 7.4 CVSS score.
A heap-based buffer overflow flaw was found in the rsync daemon. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.