The 'rcp' utility's receive path (sink()) concatenates server-supplied filenames into the local destination path without validating directory traversal sequences (e.g., '../') or shell metacharacters. This allows a malicious or MITM server to write files outside the intended directory or execute arbitrary commands via crafted filenames.
| Vendor | Product | Versions |
|---|---|---|
| — | rcp | — |
