CVE-2017-17434
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/12/2017
Last modified:
20/04/2025
Description
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:* | 3.1.2 (including) | |
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://security.cucumberlinux.com/security/details.php?id=170
- https://git.samba.org/?p=rsync.git%3Ba%3Dcommit%3Bh%3D5509597decdbd7b91994210f700329d8a35e70a1
- https://git.samba.org/?p=rsync.git%3Ba%3Dcommit%3Bh%3D70aeb5fddd1b2f8e143276f8d5a085db16c593b9
- https://lists.debian.org/debian-lts-announce/2017/12/msg00020.html
- https://www.debian.org/security/2017/dsa-4068
- http://security.cucumberlinux.com/security/details.php?id=170
- https://git.samba.org/?p=rsync.git%3Ba%3Dcommit%3Bh%3D5509597decdbd7b91994210f700329d8a35e70a1
- https://git.samba.org/?p=rsync.git%3Ba%3Dcommit%3Bh%3D70aeb5fddd1b2f8e143276f8d5a085db16c593b9
- https://lists.debian.org/debian-lts-announce/2017/12/msg00020.html
- https://www.debian.org/security/2017/dsa-4068