PT-2022-4620 · Rsync+11 · Rsync+11
Ege Balci
+1
·
Published
2022-08-02
·
Updated
2025-09-29
·
CVE-2022-29154
CVSS v2.0
7.6
High
| Vector | AV:N/AC:H/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
rsync versions prior to 3.2.5
Description
An issue in rsync allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories, for example, overwrite the .ssh/authorized keys file.
Recommendations
For versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the rsync client target directory and subdirectories to minimize the risk of exploitation. Avoid using the rsync client with untrusted servers until the issue is resolved.
Exploit
Fix
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Rsync