Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-y59h-bzyk-dbhf
Vulnerability ID VCID-y59h-bzyk-dbhf
Aliases CVE-2022-29154
Summary An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Status Published
Exploitability 0.5
Weighted Severity 6.7
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
cvssv3 7.4 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
epss 0.00923 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00923 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00923 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
epss 0.00923 https://api.first.org/data/v1/epss?cve=CVE-2022-29154
cvssv3.1 8.8 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
https://api.first.org/data/v1/epss?cve=CVE-2022-29154
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
1016543 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1016543
2110928 https://bugzilla.redhat.com/show_bug.cgi?id=2110928
GLSA-202405-22 https://security.gentoo.org/glsa/202405-22
RHSA-2022:6170 https://access.redhat.com/errata/RHSA-2022:6170
RHSA-2022:6171 https://access.redhat.com/errata/RHSA-2022:6171
RHSA-2022:6172 https://access.redhat.com/errata/RHSA-2022:6172
RHSA-2022:6173 https://access.redhat.com/errata/RHSA-2022:6173
RHSA-2022:6180 https://access.redhat.com/errata/RHSA-2022:6180
RHSA-2022:6181 https://access.redhat.com/errata/RHSA-2022:6181
RHSA-2022:6551 https://access.redhat.com/errata/RHSA-2022:6551
USN-5921-1 https://usn.ubuntu.com/5921-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-29154.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.76375
EPSS Score 0.00923
Published At June 4, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-04T17:10:03.919577+00:00 Debian Importer Import https://security-tracker.debian.org/tracker/data/json 38.6.0