An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
References
Link | Resource |
---|---|
http://www.openwall.com/lists/oss-security/2022/08/02/1 | Exploit Mailing List Patch Third Party Advisory |
https://github.com/WayneD/rsync/tags | Release Notes Third Party Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/ | |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/ |
Configurations
History
07 Nov 2023, 03:45
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
08 Aug 2023, 14:22
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-20 |
27 Oct 2022, 12:15
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/ - Mailing List, Third Party Advisory | |
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
|
First Time |
Fedoraproject
Fedoraproject fedora |
31 Aug 2022, 12:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
18 Aug 2022, 04:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
09 Aug 2022, 18:22
Type | Values Removed | Values Added |
---|---|---|
References | (MISC) https://github.com/WayneD/rsync/tags - Release Notes, Third Party Advisory | |
References | (MLIST) http://www.openwall.com/lists/oss-security/2022/08/02/1 - Exploit, Mailing List, Patch, Third Party Advisory | |
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 7.4 |
CPE | cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:* | |
CWE | CWE-862 | |
First Time |
Samba
Samba rsync |
02 Aug 2022, 15:23
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2022-08-02 15:15
Updated : 2023-12-10 14:35
NVD link : CVE-2022-29154
Mitre link : CVE-2022-29154
CVE.ORG link : CVE-2022-29154
JSON object : View
Products Affected
fedoraproject
- fedora
samba
- rsync
CWE
CWE-20
Improper Input Validation