FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rsync -- client-side arbitrary file write vulnerability

Affected packages
rsync < 3.2.5


VuXML ID 21f43976-1887-11ed-9911-40b034429ecf
Discovery 2022-08-02
Entry 2022-08-10

Openwall oss-security reports:

We have discovered a critical arbitrary file write vulnerability in the rsync utility that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. Due to the insufficient controls inside the do_server_recv function a malicious rysnc server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories.


CVE Name CVE-2022-29154