CVE-2017-17434
- Source
- https://cve.org/CVERecord?id=CVE-2017-17434
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-17434.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2017-17434
- Downstream
- Related
- Published
- 2017-12-06T03:29:00.267Z
- Modified
- 2026-05-15T12:03:03.791062279Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemonfilterlist data structure (in the recvfiles function in receiver.c) and also does not apply the sanitizepaths protection mechanism to pathnames found in "xname follows" strings (in the readndxand_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
- Database specific
{ "unresolved_ranges": [ { "source": "CPE_FIELD", "cpes": [ "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*" ], "vendor_product": "debian:debian_linux", "extracted_events": [ { "last_affected": "8.0" }, { "last_affected": "9.0" } ] } ] }- References
-
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=5509597decdbd7b91994210f700329d8a35e70a1
- https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
- https://lists.debian.org/debian-lts-announce/2017/12/msg00020.html
- http://security.cucumberlinux.com/security/details.php?id=170
- https://www.debian.org/security/2017/dsa-4068