CVE-2024-12086

MEDIUM 6.1

Rsync: rsync server leaks arbitrary client files

CVSS Score

6.1

EPSS Score

0.6%

EPSS Percentile

70th

A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.

CWE	CWE-390
Published	Jan 14, 2025
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Red Hat / Red Hat Enterprise Linux 10

All versions affected

Red Hat / Red Hat Enterprise Linux 6

All versions affected

Red Hat / Red Hat Enterprise Linux 7

All versions affected

Red Hat / Red Hat Enterprise Linux 8

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat OpenShift Container Platform 4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHBA-2025:6470 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-12086 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2330577 kb.cert.org: https://kb.cert.org/vuls/id/952657 github.com: https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj security.netapp.com: https://security.netapp.com/advisory/ntap-20250131-0002/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html kb.cert.org: https://www.kb.cert.org/vuls/id/952657

Credits

Red Hat would like to thank Jasiel Spelman (Google), Pedro Gallegos (Google), and Simon Scannell (Google) for reporting this issue.