GitHub_MCVELIST:CVE-2021-29488CVE-2021-29488 Creation of files outside the Download Folder through malicious PAR2 files
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
36.0%
SABnzbd is an open source binary newsreader. A vulnerability was discovered in SABnzbd that could trick the filesystem.renamer() function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As a workaround, limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version.
CNA Affected
[
{
"platforms": [
"Windows"
],
"product": "sabnzbd",
"vendor": "sabnzbd",
"versions": [
{
"status": "affected",
"version": "< 3.0.0"
}
]
},
{
"platforms": [
"All other OSes"
],
"product": "sabnzbd",
"vendor": "sabnzbd",
"versions": [
{
"status": "affected",
"version": "< 3.2.1"
}
]
}
]Related
4.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
0.001 Low
EPSS
Percentile
36.0%