SUSE update for rsync

1) Path traversal

EUVDB-ID: #VU102736

Risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-12088

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote server to write files to arbitrary locations on the system.

The vulnerability exists due to input validation error when using "--safe-links" option. A remote attacker can can trick the victim into connecting to a rouge rsync server and write arbitrary files to arbitrary locations on the client system.

Mitigation

Update the affected package rsync to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security

SUSE Linux Enterprise Server for SAP Applications 12: SP5

SUSE Linux Enterprise Server 12: SP5

rsync: before 3.1.3-3.28.1

rsync-debuginfo: before 3.1.3-3.28.1

rsync-debugsource: before 3.1.3-3.28.1

CPE2.3

• cpe:2.3:o:suse:suse_linux_enterprise_server_12_sp5_ltss_extended:Security:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_for_sap_applications_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:o:suse:suse_linux_enterprise_server_12:SP5:*:*:*:*:*:*:*
• cpe:2.3:a:suse:rsync:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:rsync-debuginfo:*:*:*:*:*:suse_linux:*:*
• cpe:2.3:a:suse:rsync-debugsource:*:*:*:*:*:suse_linux:*:*

External links

https://www.suse.com/support/update/announcement/2025/suse-su-20251330-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.