Search for vulnerabilities
Vulnerability details: VCID-vmm5-dhh3-e7b2
Vulnerability ID VCID-vmm5-dhh3-e7b2
Aliases CVE-2022-29154
Summary An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Status Published
Exploitability 0.5
Weighted Severity 6.7
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-20 Improper Input Validation
System Score Found at
cvssv3 7.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00301 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00302 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00302 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00302 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00302 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.4 https://nvd.nist.gov/vuln/detail/CVE-2022-29154
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
https://api.first.org/data/v1/epss?cve=CVE-2022-29154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/WayneD/rsync/tags
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMBOJ77A7T7PQCARMDUK75TE6LLESZ3O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YRQAI7H4M4RQZ2IWZUEEXECBE5D56BH2/
http://www.openwall.com/lists/oss-security/2022/08/02/1
1016543 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016543
2110928 https://bugzilla.redhat.com/show_bug.cgi?id=2110928
cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:samba:rsync:*:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
CVE-2022-29154 https://nvd.nist.gov/vuln/detail/CVE-2022-29154
RHSA-2022:6170 https://access.redhat.com/errata/RHSA-2022:6170
RHSA-2022:6171 https://access.redhat.com/errata/RHSA-2022:6171
RHSA-2022:6172 https://access.redhat.com/errata/RHSA-2022:6172
RHSA-2022:6173 https://access.redhat.com/errata/RHSA-2022:6173
RHSA-2022:6180 https://access.redhat.com/errata/RHSA-2022:6180
RHSA-2022:6181 https://access.redhat.com/errata/RHSA-2022:6181
RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
USN-5921-1 https://usn.ubuntu.com/5921-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-29154
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.53119
EPSS Score 0.00301
Published At Aug. 3, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:35:17.938178+00:00 Alpine Linux Importer Import https://secdb.alpinelinux.org/v3.13/main.json 37.0.0