CVE-2021-3978

When copying files with rsync, octorpki uses the "-a" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 0.8 / Impact : 6.0

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cloudflare:octorpki:*:*:*:*:*:*:*:*

History

29 Jul 2025, 23:40

Type	Values Removed	Values Added
References	~~() https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85 -~~	() https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85 - Vendor Advisory
Summary		(es) Al copiar archivos con rsync, octorpki utiliza el indicador "-a" 0, que obliga a rsync a copiar binarios con el bit suid establecido como root. Dado que la definición de servicio proporcionada tiene como valor predeterminado root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service), esto podría permitir un vector, cuando se combina con otra vulnerabilidad que hace que octorpki procese un archivo TAL malicioso, para una escalada de privilegios local.
First Time		Cloudflare octorpki Cloudflare
CPE		cpe:2.3:a:cloudflare:octorpki::::::::
CWE		NVD-CWE-noinfo

29 Jan 2025, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-01-29 10:15

Updated : 2025-07-29 23:40

NVD link : CVE-2021-3978

Mitre link : CVE-2021-3978

CVE.ORG link : CVE-2021-3978

JSON object : View

Products Affected

cloudflare

octorpki

CWE

CWE-269

Improper Privilege Management

NVD-CWE-noinfo

{"id": "CVE-2021-3978", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cna@cloudflare.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 0.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-01-29T10:15:07.750", "references": [{"url": "https://github.com/cloudflare/cfrpki/security/advisories/GHSA-3pqh-p72c-fj85", "tags": ["Vendor Advisory"], "source": "cna@cloudflare.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cna@cloudflare.com", "description": [{"lang": "en", "value": "CWE-269"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "When copying files with rsync, octorpki uses the \"-a\" flag 0, which forces rsync to copy binaries with the suid bit set as root. Since the provided service definition defaults to root ( https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service ) this could allow for a vector, when combined with another vulnerability that causes octorpki to process a malicious TAL file, for a local privilege escalation."}, {"lang": "es", "value": "Al copiar archivos con rsync, octorpki utiliza el indicador \"-a\" 0, que obliga a rsync a copiar binarios con el bit suid establecido como root. Dado que la definici\u00f3n de servicio proporcionada tiene como valor predeterminado root (https://github.com/cloudflare/cfrpki/blob/master/package/octorpki.service), esto podr\u00eda permitir un vector, cuando se combina con otra vulnerabilidad que hace que octorpki procese un archivo TAL malicioso, para una escalada de privilegios local."}], "lastModified": "2025-07-29T23:40:21.880", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cloudflare:octorpki:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "76835CC2-1E72-4632-9904-26EE9A5B2BDF", "versionEndExcluding": "1.4.2"}], "operator": "OR"}]}], "sourceIdentifier": "cna@cloudflare.com"}