Taha Hamad

**Name of the Vulnerable Software and Affected Versions** rsync versions prior to 3.2.5 **Description** An issue in rsync allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories, for example, overwrite the .ssh/authorized keys file. **Recommendations** For versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the rsync client target directory and subdirectories to minimize the risk of exploitation. Avoid using the rsync client with untrusted servers until the issue is resolved.