{"id":"UBUNTU-CVE-2024-12087","details":"A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.","modified":"2026-02-04T04:09:59.847895Z","published":"2025-01-09T00:00:00Z","related":["USN-7206-1","USN-7206-3"],"upstream":["CVE-2024-12087"],"references":[{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-12087"},{"type":"REPORT","url":"https://www.cve.org/CVERecord?id=CVE-2024-12087"},{"type":"REPORT","url":"https://kb.cert.org/vince/comm/case/2083/"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7206-1"},{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7206-3"}],"affected":[{"package":{"name":"rsync","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.1.0-2ubuntu0.4+esm1?arch=source&distro=esm-infra-legacy/trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.0-2ubuntu0.4+esm1"}]}],"versions":["3.0.9-4ubuntu1","3.1.0-2","3.1.0-2ubuntu0.1","3.1.0-2ubuntu0.2","3.1.0-2ubuntu0.3","3.1.0-2ubuntu0.4"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro","binaries":[{"binary_name":"rsync","binary_version":"3.1.0-2ubuntu0.4+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}},{"package":{"name":"rsync","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.1.1-3ubuntu1.3+esm3?arch=source&distro=esm-infra/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.1-3ubuntu1.3+esm3"}]}],"versions":["3.1.1-3","3.1.1-3ubuntu1","3.1.1-3ubuntu1.1","3.1.1-3ubuntu1.2","3.1.1-3ubuntu1.3","3.1.1-3ubuntu1.3+esm1","3.1.1-3ubuntu1.3+esm2"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"rsync","binary_version":"3.1.1-3ubuntu1.3+esm3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}},{"package":{"name":"rsync","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.1.2-2.1ubuntu1.6+esm1?arch=source&distro=esm-infra/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.2-2.1ubuntu1.6+esm1"}]}],"versions":["3.1.2-2","3.1.2-2.1","3.1.2-2.1ubuntu1","3.1.2-2.1ubuntu1.1","3.1.2-2.1ubuntu1.2","3.1.2-2.1ubuntu1.3","3.1.2-2.1ubuntu1.4","3.1.2-2.1ubuntu1.5","3.1.2-2.1ubuntu1.6"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro","binaries":[{"binary_name":"rsync","binary_version":"3.1.2-2.1ubuntu1.6+esm1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}},{"package":{"name":"rsync","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.1.3-8ubuntu0.8?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.3-8ubuntu0.8"}]}],"versions":["3.1.3-6","3.1.3-8","3.1.3-8ubuntu0.1","3.1.3-8ubuntu0.2","3.1.3-8ubuntu0.3","3.1.3-8ubuntu0.4","3.1.3-8ubuntu0.5","3.1.3-8ubuntu0.7"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"rsync","binary_version":"3.1.3-8ubuntu0.8"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}},{"package":{"name":"rsync","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.2.7-0ubuntu0.22.04.3?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.7-0ubuntu0.22.04.3"}]}],"versions":["3.2.3-4ubuntu1","3.2.3-4ubuntu2","3.2.3-8ubuntu1","3.2.3-8ubuntu2","3.2.3-8ubuntu3","3.2.3-8ubuntu3.1","3.2.7-0ubuntu0.22.04.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"rsync","binary_version":"3.2.7-0ubuntu0.22.04.3"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}},{"package":{"name":"rsync","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/rsync@3.2.7-1ubuntu1.1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.2.7-1ubuntu1.1"}]}],"versions":["3.2.7-1","3.2.7-1build1","3.2.7-1build2","3.2.7-1ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"rsync","binary_version":"3.2.7-1ubuntu1.1"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-12087.json"}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}]}