CVE-2024-12084 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
redhat	CNA	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 85%

Vendor	Product	Version
samba	rsync	3.2.7
samba	rsync	3.3.0
almalinux	almalinux	10.0
archlinux	arch_linux	-
gentoo	linux	-
nixos	nixos	𝑥 < 24.11
nixos	nixos	24.11
novell	suse_linux	-
tritondatacenter	smartos	𝑥 < 20250123
redhat	enterprise_linux	10.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rsync

bullseye	3.2.3-4+deb11u1 not-affected
bullseye (security)	3.2.3-4+deb11u3 fixed
bookworm	3.2.7-1+deb12u2 fixed
bookworm (security)	3.2.7-1+deb12u2 fixed
trixie	3.4.1+ds1-4 fixed
sid	3.4.1+ds1-4 fixed

Ubuntu Releases

Ubuntu Product

Codename

rsync

oracular	Fixed 3.3.0-1ubuntu0.1 released
noble	Fixed 3.2.7-1ubuntu1.1 released
jammy	Fixed 3.2.7-0ubuntu0.22.04.3 released
focal	not-affected
bionic	not-affected
xenial	not-affected
trusty	not-affected

Known Exploits!

https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj

Common Weakness Enumeration

CWE-122 - Heap-based Buffer Overflow
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-787 - Out-of-bounds Write
The software writes data past the end, or before the beginning, of the intended buffer.

References

https://access.redhat.com/errata/RHBA-2025:6470

https://access.redhat.com/security/cve/CVE-2024-12084

https://bugzilla.redhat.com/show_bug.cgi?id=2330527

https://kb.cert.org/vuls/id/952657

http://www.openwall.com/lists/oss-security/2025/01/14/6

https://github.com/google/security-research/security/advisories/GHSA-p5pg-x43v-mvqj