{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/almalinux9.2esu/vex/2024/cve-2024-12747-els_os-almalinux9_2esu.json" } ], "title": "Security update on CVE-2024-12747", "tracking": { "current_release_date": "2026-01-19T22:21:47Z", "generator": { "date": "2026-01-19T22:21:47Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2024-12747-ELS_OS-ALMALINUX9.2ESU", "initial_release_date": "2024-01-01T00:00:00Z", "revision_history": [ { "date": "2024-01-01T00:00:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-10-08T17:34:12Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-10-30T09:23:45Z", "number": "3", "summary": "Update document" }, { "date": "2025-11-29T11:26:21Z", "number": "4", "summary": "Update document" }, { "date": "2025-12-23T19:08:30Z", "number": "5", "summary": "Update document" }, { "date": "2026-01-19T22:21:47Z", "number": "6", "summary": "Update document" } ], "status": "final", "version": "6" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "AlmaLinux 9.2", "product": { "name": "AlmaLinux 9.2", "product_id": "AlmaLinux-9.2", "product_identification_helper": { "cpe": "cpe:2.3:o:almalinux:almalinux:9.2:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "AlmaLinux" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "product": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "product_id": "rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.3-19.el9.tuxcare.els3?arch=x86_64" } } }, { "category": "product_version", "name": "rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "product": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "product_id": "rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.3-19.el9.tuxcare.els2?arch=x86_64" } } }, { "category": "product_version", "name": "rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "product": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "product_id": "rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync@3.2.3-19.el9.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "product": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "product_id": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.3-19.el9.tuxcare.els3?arch=noarch" } } }, { "category": "product_version", "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "product": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "product_id": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.3-19.el9.tuxcare.els2?arch=noarch" } } }, { "category": "product_version", "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "product": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "product_id": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rsync-daemon@3.2.3-19.el9.tuxcare.els1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "TuxCare" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "rsync-0:3.2.3-19.el9.x86_64", "product": { "name": "rsync-0:3.2.3-19.el9.x86_64", "product_id": "rsync-0:3.2.3-19.el9.x86_64", "product_identification_helper": { "purl": "pkg:rpm/almalinux/rsync@3.2.3-19.el9?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rsync-daemon-0:3.2.3-19.el9.noarch", "product": { "name": "rsync-daemon-0:3.2.3-19.el9.noarch", "product_id": "rsync-daemon-0:3.2.3-19.el9.noarch", "product_identification_helper": { "purl": "pkg:rpm/almalinux/rsync-daemon@3.2.3-19.el9?arch=noarch" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "AlmaLinux OS Foundation" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64" }, "product_reference": "rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64" }, "product_reference": "rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64" }, "product_reference": "rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch" }, "product_reference": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch" }, "product_reference": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch" }, "product_reference": "rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-0:3.2.3-19.el9.x86_64 as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.x86_64" }, "product_reference": "rsync-0:3.2.3-19.el9.x86_64", "relates_to_product_reference": "AlmaLinux-9.2" }, { "category": "default_component_of", "full_product_name": { "name": "rsync-daemon-0:3.2.3-19.el9.noarch as a component of AlmaLinux 9.2", "product_id": "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.noarch" }, "product_reference": "rsync-daemon-0:3.2.3-19.el9.noarch", "relates_to_product_reference": "AlmaLinux-9.2" } ] }, "vulnerabilities": [ { "cve": "CVE-2024-12747", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "description", "text": "A flaw was found in rsync. This vulnerability arises from a race condition during rsync's handling of symbolic links. Rsync's default behavior when encountering symbolic links is to skip them. If an attacker replaced a regular file with a symbolic link at the right time, it was possible to bypass the default behavior and traverse symbolic links. Depending on the privileges of the rsync process, an attacker could leak sensitive information, potentially leading to privilege escalation.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.x86_64", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-12747" } ], "release_date": "2025-01-14T15:06:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Ignored due to low severity", "product_ids": [ "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.x86_64", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.noarch" ] }, { "category": "no_fix_planned", "details": "This issue is a local-only, high‑complexity time‑of‑check/time‑of‑use race in rsync’s symlink handling that requires an attacker to already have write access to the synchronized path and to precisely replace a file with a symlink during the transfer. Data exposure occurs only if rsync is running with higher privileges than the attacker; otherwise it cannot expand access, and it has no integrity or availability impact. Given the lack of a remote vector and the need for specific local conditions, this vulnerability can be safely deprioritized for centrally managed VM/server workloads.", "product_ids": [ "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.x86_64", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.noarch" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1" }, "products": [ "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els1.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els2.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.tuxcare.els3.x86_64", "AlmaLinux-9.2:rsync-0:3.2.3-19.el9.x86_64", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els1.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els2.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.tuxcare.els3.noarch", "AlmaLinux-9.2:rsync-daemon-0:3.2.3-19.el9.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }