CVE-2017-17433

Summary

CVE	CVE-2017-17433
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2017-12-06 03:29:00 UTC
Updated	2023-11-07 02:41:00 UTC
Description	The recv_files function in receiver.c in the daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, proceeds with certain file metadata updates before checking for a filename in the daemon_filter_list data structure, which allows remote attackers to bypass intended access restrictions.

Risk And Classification

Problem Types: CWE-862

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	7.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Samba	Rsync	3.1.2	All	All	All
Application	Samba	Rsync	3.1.2	All	All	All

References

Reference	Source	Link	Tags
1522874 – (CVE-2017-17433) CVE-2017-17433 rsync: recv_files function metadata handling allows for access restriction bypass	MISC	bugzilla.redhat.com	Patch, Third Party Advisory
git.samba.org - rsync.git/commit	MISC	git.samba.org	Patch
CLD-169 Details	CONFIRM	security.cucumberlinux.com	Third Party Advisory
Debian -- Security Information -- DSA-4068-1 rsync	DEBIAN	www.debian.org	Third Party Advisory
[SECURITY] [DLA 1218-1] rsync security update	MLIST	lists.debian.org	Third Party Advisory
git.samba.org		git.samba.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

500605 Alpine Linux Security Update for rsync
504364 Alpine Linux Security Update for rsync
710226 Gentoo Linux rsync Multiple Vulnerabilities (GLSA 201801-16)