CVE-2021-3978

Description

### Impact When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation. ## For more information If you have any questions or comments about this advisory email us at [email protected]

Affected packages (3)

• Debian/cfrpkifrom 0, < 1.4.2-1~deb11u1
• Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.2
• Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.2

CVSS scores

References (4)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-3978
• ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-3978
• PATCHhttps://github.com/cloudflare/cfrpki
• WEBhttps://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85