A flaw was found in rsync verions before 3.1.3. The parse_argument function in options.c in rsyncd component does not prevent multiple --protect-args uses. Thus letting the user to specify the arg in the protected-arg list and shortcut some of the arg-sanitizing code. This vulnerability allows remote attackers to bypass the argument-sanitization protection mechanism, which may lead to a privilege escalation vulnerability. Fixed In Version:¶ rsync 3.1.3