Candidate: CVE-2021-29488
PublicDate: 2021-05-07 15:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29488
 https://github.com/sabnzbd/sabnzbd/security/advisories/GHSA-jwj3-wrvf-v3rp
Description:
 SABnzbd is an open source binary newsreader. A vulnerability was discovered
 in SABnzbd that could trick the `filesystem.renamer()` function into
 writing downloaded files outside the configured Download Folder via
 malicious PAR2 files. A patch was released as part of SABnzbd 3.2.1RC1. As
 a workaround, limit downloads to NZBs without PAR2 files, deny write
 permissions to the SABnzbd process outside areas it must access to perform
 its job, or update to a fixed version.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N [5.3 MEDIUM]


Patches_sabnzbdplus:
 upstream: https://github.com/sabnzbd/sabnzbd/commit/3766ba54026eaa520dbee5b57a2f33d4954fb98b
upstream_sabnzbdplus: released (3.2.1)
precise/esm_sabnzbdplus: DNE
trusty_sabnzbdplus: ignored (out of standard support)
trusty/esm_sabnzbdplus: DNE
xenial_sabnzbdplus: ignored (out of standard support)
bionic_sabnzbdplus: needed
focal_sabnzbdplus: needed
groovy_sabnzbdplus: ignored (reached end-of-life)
hirsute_sabnzbdplus: ignored (reached end-of-life)
impish_sabnzbdplus: needed
jammy_sabnzbdplus: needed
devel_sabnzbdplus: needed