CVE-2024-12747: Rsync: race condition in rsync handling symbolic links
First published: Wed Dec 18 2024(Updated: )
A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/rsync | <=3.2.3-4+deb11u1<=3.2.7-1 | 3.2.3-4+deb11u3 3.2.7-1+deb12u2 3.3.0+ds1-4 |
| F5 BIG-IP and BIG-IQ Centralized Management |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12747
- https://nvd.nist.gov/vuln/detail/CVE-2024-12747
- https://launchpad.net/bugs/cve/CVE-2024-12747
- https://security-tracker.debian.org/tracker/CVE-2024-12747
- https://ubuntu.com/security/CVE-2024-12747
- https://www.openwall.com/lists/oss-security/2025/01/14/3
- https://git.samba.org/?p=rsync.git;a=commit;h=0590b09d9a34ae72741b91ec0708a820650198b0
- https://www.bleepingcomputer.com/news/security/qnap-fixes-six-rsync-vulnerabilities-in-hbs-nas-backup-recovery-app/
- https://access.redhat.com/security/cve/CVE-2024-12747
- https://bugzilla.redhat.com/show_bug.cgi?id=2332968
- https://kb.cert.org/vuls/id/952657
- https://access.redhat.com/errata/RHSA-2025:2600
- https://my.f5.com/manage/s/article/K000150363
Peer vulnerabilities
(Found alongside the following vulnerabilities)
Frequently Asked Questions
What is the severity of CVE-2024-12747?
CVE-2024-12747 is considered a high-severity vulnerability due to its potential exploitation through a race condition in rsync.
How do I fix CVE-2024-12747?
To fix CVE-2024-12747, upgrade rsync to version 3.2.3-4+deb11u3, 3.2.7-1+deb12u2, or 3.3.0+ds1-4.
Which versions of rsync are affected by CVE-2024-12747?
Rsync versions up to and including 3.2.3-4+deb11u1 and 3.2.7-1 are affected by CVE-2024-12747.
What type of vulnerability is CVE-2024-12747?
CVE-2024-12747 is a race condition vulnerability occurring during the handling of symbolic links in rsync.
Can CVE-2024-12747 be exploited remotely?
Yes, CVE-2024-12747 can be exploited remotely if an attacker can replace a regular file with a symbolic link during rsync operations.
- agent/title
- agent/type
- agent/first-publish-date
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/softwarecombine
- agent/description
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-12084
- alias/CVE-2024-12085
- alias/CVE-2024-12086
- alias/CVE-2024-12087
- alias/CVE-2024-12088
- alias/CVE-2024-12747
- agent/news-ai
- exploited/true
- agent/source
- agent/severity
- agent/event
- agent/trending
- collector/nvd-cve
- source/NVD
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- collector/nvd-api
- agent/last-modified-date
- agent/weakness
- collector/f5-advisory
- source/F5
- package-manager/debian
- vendor/f5
- canonical/f5 big-ip and big-iq centralized management