Reported

May 27, 2021

Issued

September 9, 2021 (last modified: September 10, 2021)

Package

pleaser (crates.io)

Type

Vulnerability

Categories

• privilege-escalation

Aliases

• CVE-2021-31155
• GHSA-vc5p-j8vw-mc6x

Details

https://nvd.nist.gov/vuln/detail/CVE-2021-31155

CVSS Score

7.8 HIGH

CVSS Details

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Patched

• >=0.4

Description

Failure to normalize the umask in pleaser before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.