Vulnerability Description
The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian | Debian Linux | 7.0 |
| Samba | Rsync | 3.1.2 |
Related Weaknesses (CWE)
References
- http://security.cucumberlinux.com/security/details.php?id=169Third Party Advisory
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=3e06d40029cfdce9d0f73d87cfd4ed
- https://lists.debian.org/debian-lts-announce/2017/12/msg00020.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4068Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1522874#c4PatchThird Party Advisory
- http://security.cucumberlinux.com/security/details.php?id=169Third Party Advisory
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=3e06d40029cfdce9d0f73d87cfd4ed
- https://lists.debian.org/debian-lts-announce/2017/12/msg00020.htmlThird Party Advisory
- https://www.debian.org/security/2017/dsa-4068Third Party Advisory
FAQ
What is CVE-2017-17433?
CVE-2017-17433 is a vulnerability with a CVSS score of 3.7 (LOW). The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_fi...
How severe is CVE-2017-17433?
CVE-2017-17433 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-17433?
Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Samba Rsync.