CVE-2024-12085

CVE-2024-12085 affects rsync; a flaw in checksum comparison allows an attacker to manipulate s2length, causing comparisons against uninitialized memory and leaking one byte of uninitialized stack data per interaction. The issue is rated HIGH (CVSS 3.1: 7.5) with network attack vector and no user ...

CVE-2024-12088

CVE-2024-12088 is a path-traversal vulnerability in rsync when using --safe-links, arising from improper verification of symbolic-link destinations on the server side, potentially allowing writes outside the target directory. Concrete remediation details appear in multiple connected advisories: C...

CVE-2024-12087

CVE-2024-12087 affects rsync and is described in connected advisories as a path traversal vulnerability triggered by the --inc-recursive behavior, arising from insufficient symlink verification and per-file-list deduplication checks. The result could allow a server to write files outside the clie...

CVE-2024-12084

CVE-2024-12084: Rsync daemon heap-based buffer overflow caused by improper handling of attacker-controlled checksum lengths (s2length). When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an out-of-bounds write to sum2 is possible. Public advisories confirm this bug affects rsync version...

CVE-2020-5291

Bubblewrap (bwrap)

CVE-2024-12086

The CVE-2024-12086 entry concerns rsync. A flaw in rsync’s checksum-based comparison during client→server file transfer can enable a server to enumerate contents of files on the client by sending crafted checksum values and analyzing responses. The connected documents confirm rsync is affected an...