CVE-2020-14387

Published: 27 May 2021

A flaw was found in rsync in versions since 3.2.0pre1. Rsync improperly validates certificate with host mismatch vulnerability. A remote, unauthenticated attacker could exploit the flaw by performing a man-in-the-middle attack using a valid certificate for another hostname which could compromise confidentiality and integrity of data transmitted using rsync-ssl. The highest threat from this vulnerability is to data confidentiality and integrity. This flaw affects rsync versions before 3.2.4.

Priority

Medium

CVSS 3 base score: 7.4

Status

Package Release Status
rsync
Launchpad, Ubuntu, Debian
Upstream
Released (3.2.3-1)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(code not present)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(code not present)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)
Patches:
Upstream: https://git.samba.org/?p=rsync.git;a=commitdiff;h=c3f7414c450faaf6a8281cc4a4403529aeb7d859