{"id":"CVE-2021-44038","details":"An issue was discovered in Quagga through 1.2.4. Unsafe chown/chmod operations in the suggested spec file allow users (with control of the non-root-owned directory /etc/quagga) to escalate their privileges to root upon package installation or update.","modified":"2026-04-10T04:41:13.386424Z","published":"2021-11-19T19:15:09.287Z","related":["openSUSE-SU-2024:12504-1"],"references":[{"type":"ADVISORY","url":"https://github.com/Quagga/quagga/releases"},{"type":"REPORT","url":"https://bugzilla.suse.com/show_bug.cgi?id=1191890"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/Quagga/quagga","events":[{"introduced":"0"},{"last_affected":"ddece197663c5ebc3b4428ad95eef5168ed8fcda"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.2.4"}]}}],"versions":["bgp_rserver_after","bgp_rserver_before","import_isisd_sf_20031223","libtool-after","libtool-before","merge_zprivs_head_1","merge_zprivs_head_2","merge_zprivs_head_3","merge_zprivs_head_4","nonblocking_zclient_after","nonblocking_zclient_before","nonblocking_zserv_after","nonblocking_zserv_before","ospf_api","patch_revert_debug_nssa_patch","patch_vtysh_add_ssh_fix","patch_vtysh_pagesize","patch_z12269_linkstate","patch_z14599_multicast_inactive_if","patch_z14631_ptp_rfc3021","patch_z14800_ospfd_ptmp","patch_z15554_vtysh_writeconf","patch_z15646_ospfd_seqnum_time","patch_z15715_ospf_md5","patch_z15769_ripv1","patch_z16525_kame","patch_z16681_ospfd_nssa","patch_z16823","patch_z16824_nsm_kill_neighbour","patch_z17217_show_thread_cpu","patch_z17218_cli_walk_up","patch_z17290_ifupstaticfix","patch_z17290_portfix","patch_z17335_ospfd_doc","patch_z17352_ptp_network_match","post_bgp_workqueus","pre-rfc2301","pre_bgp_workqueus","quagga-0.99.22","quagga-0.99.22-rc1","quagga-0.99.23","quagga-0.99.23-rc1","quagga-0.99.24","quagga-0.99.24-rc1","quagga-1.0.20160309","quagga-1.0.20160315","quagga-1.1.0","quagga-1.1.1","quagga-1.2.0","quagga-1.2.1","quagga-1.2.2","quagga-1.2.3","quagga-1.2.4","quagga_0_96_1_release","quagga_0_96_2_release","quagga_0_96_3_release","quagga_0_96_4_release","quagga_0_96_5_release","quagga_0_96_release","quagga_0_97_0_release","quagga_0_97_1_release","quagga_0_97_2_release","quagga_0_97_3_release","quagga_0_97_4_release","quagga_0_97_5_release","quagga_0_98_0_release","quagga_0_99_10_release","quagga_0_99_11_release","quagga_0_99_12_release","quagga_0_99_13_release","quagga_0_99_14_release","quagga_0_99_15_release","quagga_0_99_16_release","quagga_0_99_17_release","quagga_0_99_18_release","quagga_0_99_19_release","quagga_0_99_1_release","quagga_0_99_20_release","quagga_0_99_21_release","quagga_0_99_2_release","quagga_0_99_3_release","quagga_0_99_4_release","quagga_0_99_5_release","quagga_0_99_6_release","quagga_0_99_7_release","quagga_0_99_8_release","quagga_0_99_9_release","quagga_post_listloop_cleanup","quagga_pre_listloop_cleanup","rfc3021-ipv6-fix"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-44038.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}