SUSE update for rsync



Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-29154
CWE-ID CWE-22
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openSUSE Leap Micro
Operating systems & Components / Operating system

rsync-debugsource
Operating systems & Components / Operating system package or component

rsync-debuginfo
Operating systems & Components / Operating system package or component

rsync
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Path traversal

EUVDB-ID: #VU66189

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2022-29154

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Exploit availability: No

Description

The vulnerability allows a remote server to perform directory traversal attacks.

The vulnerability exists due to input validation error within the rsync client  when processing file names. A remote malicious server overwrite arbitrary files in the rsync client target directory and subdirectories on the connected peer.

Mitigation

Update the affected package rsync to the latest version.

Vulnerable software versions

openSUSE Leap Micro: 5.2

rsync-debugsource: before 3.1.3-150000.4.13.1

rsync-debuginfo: before 3.1.3-150000.4.13.1

rsync: before 3.1.3-150000.4.13.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2022/suse-su-20222959-2/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###