Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArchLinuxASA-202101-1
HistoryJan 04, 2021 - 12:00 a.m.

[ASA-202101-1] rsync: man-in-the-middle

2021-01-0400:00:00
security.archlinux.org
107

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

53.5%

JSON

Arch Linux Security Advisory ASA-202101-1

Severity: High
Date : 2021-01-04
CVE-ID : CVE-2020-14387
Package : rsync
Type : man-in-the-middle
Remote : Yes
Link : https://security.archlinux.org/AVG-1374

Summary

The package rsync before version 3.2.3-2 is vulnerable to man-in-the-
middle.

Resolution

Upgrade to 3.2.3-2.

pacman -Syu “rsync>=3.2.3-2”

The problem has been fixed upstream but no release is available yet.

Workaround

None.

Description

A flaw was found in rsync version 3.2.0pre1 to 3.2.4. rsync-ssl does
not verify the hostname in the server certificate in openssl mode, so a
remote, unauthenticated man-in-the-middle attacker with a valid
certificate for another hostname could intercept connections.

Impact

A remote, unauthenticated attacker in position of man-in-the-middle
with a valid certificate for another hostname can intercept
connections.

References

https://bugs.archlinux.org/task/69051
https://bugzilla.redhat.com/show_bug.cgi?id=1875549
https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859
https://security.archlinux.org/CVE-2020-14387

OSVersionArchitecturePackageVersionFilename
ArchLinuxanyanyrsync< 3.2.3-2UNKNOWN

Related

prion 1
nvd 1
cbl_mariner 1
veracode 1
f5 1
cve 1
ubuntucve 1
osv 1
debiancve 1
redhatcve 1
nessus 2
alpinelinux 1
cvelist 1
photon 2
gentoo 1
prion
prion
Design/Logic Flaw
2021-05-27 20:15:00
nvd
nvd
CVE-2020-14387
2021-05-27 20:15:07
cbl_mariner
cbl_mariner
CVE-2020-14387 affecting package rsync for versions less than 3.2.3-2
2022-04-26 19:57:36
veracode
veracode
Improper Validation Of Certificate
2020-12-19 19:36:48
f5
f5
K84155336 : rsync vulnerability CVE-2020-14387
2022-04-30 00:00:00
cve
cve
CVE-2020-14387
2021-05-27 20:15:07
ubuntucve
ubuntucve
CVE-2020-14387
2021-05-27 00:00:00
osv
osv
CVE-2020-14387
2021-05-27 20:15:07
debiancve
debiancve
CVE-2020-14387
2021-05-27 20:15:07
redhatcve
redhatcve
CVE-2020-14387
2020-09-03 18:48:39
nessus
nessus
Photon OS 4.0: Rsync PHSA-2021-4.0-0046
2021-06-21 00:00:00
GLSA-202405-22 : rsync: Multiple Vulnerabilities
2024-05-08 00:00:00
alpinelinux
alpinelinux
CVE-2020-14387
2021-05-27 20:15:07
cvelist
cvelist
CVE-2020-14387
2021-05-27 19:44:53
photon
photon
Important Photon OS Security Update - PHSA-2021-0046
2021-06-15 00:00:00
Important Photon OS Security Update - PHSA-2021-4.0-0046
2021-06-15 00:00:00
gentoo
gentoo
rsync: Multiple Vulnerabilities
2024-05-08 00:00:00

5.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

0.002 Low

EPSS

Percentile

53.5%

JSON
Related for ASA-202101-1
prion1nvd1cbl_mariner1veracode1f51cve1ubuntucve1osv1debiancve1redhatcve1nessus2alpinelinux1cvelist1photon2gentoo1