CVE Catalog

CVE-2024-12084

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Very high risk
72.06%

99th percentile - higher than 99% of all known CVEs

Summary

A heap-based buffer overflow vulnerability was found in the rsync daemon due to improper handling of attacker-controlled checksum lengths (s2length). When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Risk Assessment

An attacker can remotely crash the rsync daemon or potentially execute arbitrary code, compromising data integrity and confidentiality in the organization.

Recommendation

Immediately update rsync to a version containing the fix for CVE-2024-12084 and restrict access to the rsync daemon to trusted networks only.

Original NVD description (English source)

A heap-based buffer overflow flaw was found in the rsync daemon. This issue is due to improper handling of attacker-controlled checksum lengths (s2length) in the code. When MAX_DIGEST_LEN exceeds the fixed SUM_LENGTH (16 bytes), an attacker can write out of bounds in the sum2 buffer.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS