CVE-2021-3978
HIGH7.5EPSS 0.07%Improper Preservation of Permissions in github.com/cloudflare/cfrpki/cmd/octorpki
發布日:2021/11/19修改日:2025/1/29
描述
### Impact When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation. ## For more information If you have any questions or comments about this advisory email us at [email protected]
受影響套件(3)
- Debian/cfrpkifrom 0, < 1.4.2-1~deb11u1
- Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.2
- Go/github.com/cloudflare/cfrpkifrom 0, < 1.4.2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H |