RUSTSEC-2021-0101

Permissions bypass in pleaser

Reported

May 27, 2021

Issued

September 9, 2021 (last modified: September 10, 2021)

Package

pleaser (crates.io)

Type

Vulnerability

Categories

privilege-escalation

Aliases

CVE-2021-31155
GHSA-vc5p-j8vw-mc6x

References

https://nvd.nist.gov/vuln/detail/CVE-2021-31155

CVSS Score

7.8 HIGH

CVSS Details

Attack vector: Local
Attack complexity: Low
Privileges required: Low
User interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: High
Availability: High

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Patched

>=0.4

Description

Failure to normalize the umask in pleaser before 0.4 allows a local attacker to gain full root privileges if they are allowed to execute at least one command.

Advisory available under CC0-1.0 license.