CVE-2021-29005: 
rConfig vulnerability analysis and mitigation

CVE-2021-29005 affects rConfig server version 3.9.6, where an insecure permission configuration in the chmod command exists. The vulnerability was discovered and disclosed in October 2021. After installing rConfig, the apache user can execute chmod as root without requiring a password, which creates a significant security risk (NVD).

The vulnerability is classified with a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability stems from incorrect default permissions (CWE-276) that allow the apache user to execute the chmod command with root privileges without authentication (NVD).

The vulnerability allows an attacker with low privileges to gain root access on the server. This means a compromised apache user account could be leveraged to obtain complete control over the system, potentially leading to unauthorized access to sensitive data, system modification, and full system compromise (NVD).

Users should upgrade to a version newer than rConfig 3.9.6. As of February 2023, rConfig v3 has been fully deprecated and is no longer supported on the public repository. Users are advised to migrate to V6 Core or newer versions (Vendor Advisory).