Search for vulnerabilities
Vulnerability details: VCID-48w1-ugdn-aaab
Vulnerability ID VCID-48w1-ugdn-aaab
Aliases CVE-2017-17434
Summary The daemon in rsync 3.1.2, and 3.1.3-development before 2017-12-03, does not check for fnamecmp filenames in the daemon_filter_list data structure (in the recv_files function in receiver.c) and also does not apply the sanitize_paths protection mechanism to pathnames found in "xname follows" strings (in the read_ndx_and_attrs function in rsync.c), which allows remote attackers to bypass intended access restrictions.
Status Published
Exploitability 0.5
Weighted Severity 9.0
Risk 4.5
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-287 Improper Authentication
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17434.html
cvssv3 4.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-17434.json
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.00981 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01156 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.01218 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
epss 0.03805 https://api.first.org/data/v1/epss?cve=CVE-2017-17434
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1522875
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
cvssv2 4.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3 5.4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2017-17434
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2017-17434
archlinux Critical https://security.archlinux.org/AVG-542
generic_textual Medium https://ubuntu.com/security/notices/USN-3506-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3506-2
Reference id Reference type URL
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17434.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-17434.json
https://api.first.org/data/v1/epss?cve=CVE-2017-17434
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16548
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17433
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17434
http://security.cucumberlinux.com/security/details.php?id=170
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git%3Ba=commit%3Bh=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
https://git.samba.org/?p=rsync.git;a=commit;h=5509597decdbd7b91994210f700329d8a35e70a1
https://git.samba.org/?p=rsync.git;a=commit;h=70aeb5fddd1b2f8e143276f8d5a085db16c593b9
https://lists.debian.org/debian-lts-announce/2017/12/msg00020.html
https://ubuntu.com/security/notices/USN-3506-1
https://ubuntu.com/security/notices/USN-3506-2
https://www.debian.org/security/2017/dsa-4068
1522875 https://bugzilla.redhat.com/show_bug.cgi?id=1522875
883665 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=883665
ASA-201801-21 https://security.archlinux.org/ASA-201801-21
AVG-542 https://security.archlinux.org/AVG-542
cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
CVE-2017-17434 https://nvd.nist.gov/vuln/detail/CVE-2017-17434
GLSA-201801-16 https://security.gentoo.org/glsa/201801-16
USN-3506-1 https://usn.ubuntu.com/3506-1/
USN-3506-2 https://usn.ubuntu.com/3506-2/
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-17434.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:M/Au:S/C:P/I:P/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2017-17434
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2017-17434
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83884
EPSS Score 0.00981
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.