CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 2CVE-2022-29154 – rsync: remote arbitrary files write inside the directories of connecting peers
https://notcve.org/view.php?id=CVE-2022-29154
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). Se ha detectado un problema en rsync versiones anteriores a 3.2.5, que permite a servidores remotos maliciosos escribir archivos arbitrarios dentro de los directorios de los pares conectados. • https://github.com/EgeBalci/CVE-2022-29154 http://www.openwall.com/lists/oss-security/2022/08/02/1 https://github.com/WayneD/rsync/tags https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2 https://access.redhat.com/security/cve/CVE-2022-29154 https://bugzilla.redhat.com/show_bug.cgi?id=2110928 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2020-14387
https://notcve.org/view.php?id=CVE-2020-14387
A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4. • https://bugzilla.redhat.com/show_bug.cgi?id=1875549 • CWE-297: Improper Validation of Certificate with Host Mismatch •