VDB
CVE-2021-29488
CVE-2021-29488
PUBLISHED
SABnzbd is an open source binary newsreader. A vulnerability was discovered in SABnzbd that could trick the `filesystem.renamer()` function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As a workaround, limit downloads to NZBs without PAR2 files, deny write permissions to the SABnzbd process outside areas it must access to perform its job, or update to a fixed version.
EPSS 0.32% · 55.4th percentile
Risk Scores
EPSS Score
0.32%
55.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | sabnzbdplus | 2.3.2+dfsg-1, 2.3.1+dfsg-1, 1.1.1+dfsg-1 |
| Ubuntu:22.04:LTS | sabnzbdplus | *, *, 0 |
| Ubuntu:20.04:LTS | sabnzbdplus | 0, 2.3.6+dfsg-1build1, 2.3.6+dfsg-1 |
| Ubuntu:16.04:LTS | sabnzbdplus | 0, 0.7.20-1, * |
Exploit Intelligence
Timeline
- May 7, 2021 CVE Published
- May 8, 2021 EPSS Score
- May 12, 2021 EPSS Score
- May 20, 2021 EPSS Score
- Jul 11, 2021 EPSS Score
- Sep 11, 2021 EPSS Score
- Nov 12, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 15, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 16, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-29488 third-party-advisory
- https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-29488 third-party-advisory