CVE-2021-31154 – CVE-2021-31154 is a local privilege escalation ... (How to Fix)

Q: What is the severity of CVE-2021-31154?

CVE-2021-31154 has a CVSS score of 7.8 (HIGH). CVE-2021-31154 is a local privilege escalation vulnerability in the 'please' command-line tool versions before 0.4. It uses predictable temporary filenames, allowing local attackers to stage symlink attacks and gain full root privileges. This affects systems where 'please' is installed and accessible to local users.

📋 TL;DR

CVE-2021-31154 is a local privilege escalation vulnerability in the 'please' command-line tool versions before 0.4. It uses predictable temporary filenames, allowing local attackers to stage symlink attacks and gain full root privileges. This affects systems where 'please' is installed and accessible to local users.

💻 Affected Systems

Products:

please (command-line tool)

Versions: All versions before 0.4

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where 'please' is installed and accessible to local users. The vulnerability exists in how temporary files are created.

📦 What is this software?

Pleaseedit by Pleaseedit Project

View all CVEs affecting Pleaseedit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains full root privileges on the system, enabling complete system compromise, data theft, persistence, and lateral movement.

🟠

Likely Case

Local user with limited privileges escalates to root, gaining unauthorized access to sensitive files, configuration, and system resources.

🟢

If Mitigated

Attack fails due to proper file permissions, SELinux/AppArmor restrictions, or lack of local user access to 'please' binary.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring local system access, not directly exploitable over network.

🏢 Internal Only: HIGH - Any local user on affected systems can potentially gain root privileges through symlink attack.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires local user access and knowledge of predictable temporary filename patterns. Symlink attack technique is well-documented.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.4 and later

Vendor Advisory: https://gitlab.com/edneville/please/-/tree/master/src/bin

Restart Required: No

Instructions:

1. Check current version: 'please --version' 2. Update to version 0.4 or later: 'pip install --upgrade please' or use system package manager 3. Verify update: 'please --version' should show 0.4+

🔧 Temporary Workarounds

Remove or restrict 'please' binary

linux

Remove the 'please' tool or restrict its execution to trusted users only

sudo rm /usr/local/bin/please
sudo chmod 700 /usr/local/bin/please

Use secure temporary directory

linux

Set TMPDIR environment variable to a secure, user-specific directory

export TMPDIR=/tmp/$USER-secure
mkdir -p $TMPDIR

🧯 If You Can't Patch

Remove execute permissions for non-privileged users: 'sudo chmod 750 /usr/local/bin/please'
Implement strict file system monitoring for symlink creation in /tmp and target directories

🔍 How to Verify

Check if Vulnerable:

Check 'please' version: 'please --version' - if version is less than 0.4, system is vulnerable

Check Version:

please --version

Verify Fix Applied:

After update, run 'please --version' to confirm version 0.4 or higher is installed

📡 Detection & Monitoring

Log Indicators:

Unusual symlink creation in /tmp directory
Multiple failed 'please' command executions from same user
Sudden privilege escalation events

Network Indicators:

Not applicable - local attack only

SIEM Query:

source="audit.log" AND (event_type="SYMLINK" AND path="/tmp/*") OR (process="please" AND user_change="root")

📊 Metadata

CVE ID: CVE-2021-31154

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-668

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

https://gitlab.com/edneville/please/-/tree/master/src/bin Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/1 Exploit,Mailing List,Third Party Advisory
https://gitlab.com/edneville/please/-/tree/master/src/bin Third Party Advisory
https://www.openwall.com/lists/oss-security/2021/05/18/1 Exploit,Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31154, you might also want to check these: