CVE-2021-31153
Description
please before 0.4 allows a local unprivileged attacker to gain knowledge about the existence of files or directories in privileged locations via the search_path function, the --check option, or the -d option.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local unprivileged attacker can check for existence of files in privileged locations in pleaser before 0.4 via search_path, --check, or -d.
Vulnerability
In pleaser (a Rust sudo-like utility) before version 0.4, a local unprivileged attacker can determine whether files or directories exist in privileged locations (e.g., /root, /etc/shadow) through the search_path function, the --check option, or the -d option [1][2][3]. This affects all versions prior to the 0.4 release.
Exploitation
An attacker needs only local access to the system. They can run pleaser with a crafted file path argument or use the --check or -d flags to test existence of arbitrary files or directories. No authentication beyond an unprivileged local account is required, and no user interaction is needed [1][3].
Impact
The attacker gains knowledge of the existence of files or directories in privileged locations, leading to information disclosure (confidentiality impact). This can be used to map out system files or detect sensitive data. Integrity and availability are not affected [1][2][3].
Mitigation
The vulnerability is fixed in pleaser version 0.4 [3]. Users should upgrade to 0.4 or later. If upgrading is not immediately possible, restrict access to the pleaser binary (e.g., remove the setuid bit) to prevent exploitation [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pleasercrates.io | < 0.4.0 | 0.4.0 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-f3fg-5j9p-vchcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31153ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/05/18/1ghsax_refsource_MISCWEB
- crates.io/crates/pleaserghsaWEB
- gitlab.com/edneville/please/-/tree/master/src/binghsax_refsource_MISCWEB
- rustsec.org/advisories/RUSTSEC-2021-0104.htmlghsaWEB
News mentions
0No linked articles in our index yet.