Published: 27/05/2021 Updated: 09/06/2021

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

CVSS v3 Base Score: 7.4 | Impact Score: 5.2 | Exploitability Score: 2.2

VMScore: 516

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions prior to 3.2.4.

Vulnerable Product	Search on Vulmon	Subscribe to Product
samba rsync 3.2.0
samba rsync

Debian Bug report logs - #969530 rsync: CVE-2020-14387 Package: src:rsync; Maintainer for src:rsync is Paul Slootman <paul@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 4 Sep 2020 13:03:00 UTC Severity: important Tags: security, upstream Found in versions rsync/320-1, rsync/323-2 ...

A flaw was found in rsync version 320pre1 to 324 rsync-ssl does not verify the hostname in the server certificate in openssl mode, so a remote, unauthenticated man-in-the-middle attacker with a valid certificate for another hostname could intercept connections ...

CWE-297 https://bugzilla.redhat.com/show_bug.cgi?id=1875549 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969530 https://nvd.nist.gov https://security.archlinux.org/CVE-2020-14387

CVE-2020-14387

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect