CVE-2021-29488

Name of the Vulnerable Software and Affected Versions SABnzbd versions prior to 3.2.1RC1

Description A vulnerability was discovered in SABnzbd that could trick the filesystem.renamer() function into writing downloaded files outside the configured Download Folder via malicious PAR2 files. The issue is related to errors in handling relative directory paths. Exploitation of this vulnerability may allow a remote attacker to impact data integrity using a malicious PAR2 file.

Recommendations For versions prior to 3.2.1RC1, update to version 3.2.1RC1 or later to resolve the issue. As a temporary workaround, consider limiting downloads to NZBs without PAR2 files. Deny write permissions to the SABnzbd process outside areas it must access to perform its job until a patch is applied.