CVE-2021-29488: 
NixOS vulnerability analysis and mitigation

SABnzbd, an open source binary newsreader, was found to contain a vulnerability (CVE-2021-29488) that could allow attackers to write files outside the configured Download Folder through malicious PAR2 files. The vulnerability was discovered by Puzzledsab and disclosed on May 7, 2021. The issue affects SABnzbd versions <3.0.0 on Windows and <3.2.1 on other operating systems (GitHub Advisory).

The vulnerability exists in the filesystem.renamer() function which could be tricked into writing downloaded files outside the configured Download Folder through specially crafted PAR2 files. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue is classified as CWE-23 (Relative Path Traversal) (NVD).

The exploitation of this vulnerability requires downloading an NZB file that triggers the retrieval of malicious PAR2 and other files from Usenet. No user interaction is required beyond adding the NZB to the download queue, which can be automated through third-party applications. The attacker could potentially create files anywhere the SABnzbd process has write permissions, which could be leveraged to run commands or manipulate the system. However, existing files cannot be overwritten, modified, or deleted (GitHub Advisory).

The vulnerability was patched in commit 3766ba5 and released as part of SABnzbd 3.2.1RC1. Users are advised to update to a fixed version. Alternative workarounds include limiting downloads to NZBs without PAR2 files or denying write permissions to the SABnzbd process outside areas it must access to perform its job (GitHub Advisory).