CVE-2022-29154: Input Validation
First published: Tue Jul 26 2022(Updated: )
Rsync could allow a remote attacker to bypass security restrictions, caused by improper validation of file names. By utilize man-in-the-middle attack techniques, an attacker could exploit this vulnerability to write arbitrary files inside the directories of connecting peers.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Samba Rsync | <3.2.5 | |
| Fedoraproject Fedora | =35 | |
| Fedoraproject Fedora | =36 | |
| redhat/rsync | <3.2.5 | 3.2.5 |
| redhat/rsync | <0:3.1.2-11.el7_9 | 0:3.1.2-11.el7_9 |
| redhat/rsync | <0:3.1.3-14.el8_6.3 | 0:3.1.3-14.el8_6.3 |
| redhat/rsync | <0:3.1.3-6.el8_1.2 | 0:3.1.3-6.el8_1.2 |
| redhat/rsync | <0:3.1.3-7.el8_2.2 | 0:3.1.3-7.el8_2.2 |
| redhat/rsync | <0:3.1.3-12.el8_4.2 | 0:3.1.3-12.el8_4.2 |
| redhat/rsync | <0:3.2.3-9.el9_0.2 | 0:3.2.3-9.el9_0.2 |
| IBM BM Security Guardium | <=11.3 | |
| IBM Security Guardium | <=11.4 | |
| IBM Security Guardium | <=11.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://exchange.xforce.ibmcloud.com/vulnerabilities/232637
- https://www.ibm.com/support/pages/node/6999317 (Advisory)
- http://www.openwall.com/lists/oss-security/2022/08/02/1
- https://github.com/WayneD/rsync/tags
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2115430
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2115431
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2115429
- https://access.redhat.com/errata/RHSA-2022:6173
- https://access.redhat.com/errata/RHSA-2022:6172
- https://access.redhat.com/errata/RHSA-2022:6181
- https://access.redhat.com/errata/RHSA-2022:6180
- https://access.redhat.com/errata/RHSA-2022:6171
- https://access.redhat.com/errata/RHSA-2022:6170
- https://access.redhat.com/security/cve/cve-2022-29154
- https://access.redhat.com/errata/RHSA-2022:6551
- https://bugzilla.redhat.com/show_bug.cgi?id=2110928
- https://www.cve.org/CVERecord?id=CVE-2022-29154 https://nvd.nist.gov/vuln/detail/CVE-2022-29154 https://www.openwall.com/lists/oss-security/2022/08/02/1
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this issue in rsync?
The vulnerability ID for this issue in rsync is CVE-2022-29154.
What is the severity of CVE-2022-29154?
The severity of CVE-2022-29154 is high.
How does the vulnerability in rsync allow an attacker to bypass security restrictions?
The vulnerability in rsync allows a remote attacker to bypass security restrictions by improperly validating file names and writing arbitrary files inside the directories of connecting peers.
Which versions of rsync are affected by CVE-2022-29154?
Versions of rsync before 3.2.5 are affected by CVE-2022-29154.
How can I fix the vulnerability in rsync?
To fix the vulnerability in rsync, you should update to version 3.2.5 or later.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/ibm-support
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-29154
- agent/software-canonical-lookup
- collector/redhat-cve
- vendor/ibm
- canonical/ibm bm security guardium
- version/ibm bm security guardium/11.3
- canonical/ibm security guardium
- version/ibm security guardium/11.4
- version/ibm security guardium/11.5
- vendor/samba
- canonical/samba rsync
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/35
- version/fedoraproject fedora/36
- package-manager/redhat