A vulnerability (CVE-2022-29154) has been identified in rsync, a file synchronization and backup utility, that could allow an attacker-controlled rsync server to write or overwrite arbitrary files in a target directory on the user's side. Potentially, an attack can also be carried out as a result of interference (MITM) in transit traffic between a client and a legitimate server. The issue has been fixed in the Rsync 3.2.5pre1 test release.
The vulnerability is reminiscent of past issues in SCP and is also caused by the server making a decision about the location of the file being written, and the client not properly checking what is returned by the server against what was requested, allowing the server to write files not originally requested by the client. For example, if the user copies files to the user's home directory, the server may return files named .bash_aliases or .ssh/authorized_keys instead of the requested files, and they will be stored in the user's home directory.
Source: opennet.ru