CVE-2024-12747

MEDIUM 5.6

Rsync: race condition in rsync handling symbolic links

CVSS Score

5.6

EPSS Score

0.0%

EPSS Percentile

2th

A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.

CWE	CWE-362
Published	Jan 14, 2025
Last Updated	Apr 14, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

Red Hat / Red Hat Enterprise Linux 10

All versions affected

Red Hat / Red Hat Enterprise Linux 8

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat Enterprise Linux 9

All versions affected

Red Hat / Red Hat Discovery 1.14

All versions affected

Red Hat / Red Hat Enterprise Linux 6

All versions affected

Red Hat / Red Hat Enterprise Linux 7

All versions affected

Red Hat / Red Hat OpenShift Container Platform 4

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHBA-2025:6470 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:2600 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:7050 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:8385 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-12747 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2332968 kb.cert.org: https://kb.cert.org/vuls/id/952657 security.netapp.com: https://security.netapp.com/advisory/ntap-20250131-0002/ lists.debian.org: https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html kb.cert.org: https://www.kb.cert.org/vuls/id/952657

Credits

Red Hat would like to thank Aleksei Gorban "loqpa" for reporting this issue.