CVE-2024-12087
Published: 14 January 2025
Summary
CVE-2024-12087 is a medium-severity Path Traversal (CWE-22) vulnerability in Almalinux Almalinux. Its CVSS base score is 6.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Ingress Tool Transfer (T1105); ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the path traversal vulnerability in rsync by applying vendor patches such as Red Hat errata RHBA-2025:6470 and related RHSA updates.
Requires validation of path and symlink inputs from the rsync server to ensure files are not written outside the intended client destination directory.
Enforces secure configuration settings for rsync, such as disabling or restricting the --inc-recursive option to mitigate the vulnerable behavior.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal and symlink handling vulnerabilities (CVE-2024-12087, CVE-2024-12088, CVE-2024-12747) in rsync allow a malicious server to write arbitrary files outside the intended client destination directory, facilitating ingress tool transfer (T1105) and exploitation of the rsync client application for potential execution of dropped malicious payloads (T1203).
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
NVD Description
A path traversal vulnerability exists in rsync. It stems from behavior enabled by the `--inc-recursive` option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using…
more
the `--inc-recursive` option, a lack of proper symlink verification coupled with deduplication checks occurring on a per-file-list basis could allow a server to write files outside of the client's intended destination directory. A malicious server could write malicious files to arbitrary locations named after valid directories/paths on the client.
Deeper analysisAI
CVE-2024-12087 is a path traversal vulnerability (CWE-22) in rsync, published on 2025-01-14. The issue arises from the --inc-recursive option, which is default-enabled for many client configurations and can be enabled by the server even if not explicitly requested by the client. When this option is in use, inadequate symlink verification combined with deduplication checks performed on a per-file-list basis allows a server to write files outside the client's intended destination directory to arbitrary locations named after valid client directories or paths.
A malicious rsync server can exploit this vulnerability against a client connecting to it, provided the --inc-recursive option is active. The attack requires no privileges (PR:N) and low complexity (AC:L) over the network (AV:N), but involves user interaction (UI:R), with a CVSS v3.1 base score of 6.5 (C:N/I:H/A:N/S:U). Successful exploitation enables the server to write malicious files to arbitrary locations on the client filesystem.
Red Hat has released multiple errata addressing this vulnerability, including RHBA-2025:6470, RHSA-2025:23154, RHSA-2025:23235, RHSA-2025:23407, and RHSA-2025:23415.
Details
- CWE(s)