Vulnerability Description
A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. During this process, the rsync server will send checksums of local data to the client to compare with in order to determine what data needs to be sent to the server. By sending specially constructed checksum values for arbitrary files, an attacker may be able to reconstruct the data of those files byte-by-byte based on the responses from the client.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Samba | Rsync | <= 3.3.0 |
| Redhat | Openshift Container Platform | 4.0 |
| Redhat | Enterprise Linux | 6.0 |
| Almalinux | Almalinux | 8.0 |
| Archlinux | Arch Linux | - |
| Gentoo | Linux | - |
| Nixos | Nixos | < 24.11 |
| Suse | Suse Linux | - |
| Tritondatacenter | Smartos | < 20250123 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHBA-2025:6470
- https://access.redhat.com/errata/RHSA-2026:19368
- https://access.redhat.com/security/cve/CVE-2024-12086Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2330577Issue TrackingThird Party Advisory
- https://kb.cert.org/vuls/id/952657Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2025/01/msg00008.html
- https://security.netapp.com/advisory/ntap-20250131-0002/
- https://www.kb.cert.org/vuls/id/952657
- https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mExploitThird Party Advisory
FAQ
What is CVE-2024-12086?
CVE-2024-12086 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A flaw was found in rsync. It could allow a server to enumerate the contents of an arbitrary file from the client's machine. This issue occurs when files are being copied from a client to a server. Du...
How severe is CVE-2024-12086?
CVE-2024-12086 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-12086?
Check the references section above for vendor advisories and patch information. Affected products include: Samba Rsync, Redhat Openshift Container Platform, Redhat Enterprise Linux, Almalinux Almalinux, Archlinux Arch Linux.