"bitcoind in Bitcoin Core through 0.21.0 can create a new file in an arbitrary directory (e.g., outside the ~/.bitcoin directory) via a dumpwallet RPC call."
This isn't an actual security issue. Not sure why someone created a CVE for it.
(In reply to Luke-Jr from comment #1)
> This isn't an actual security issue. Not sure why someone created a CVE for
I am not super familiar with this software but this does seem like a security issue. Imagine if the same user running bitcoind had write access to a directory served by an httpd or nfs or something. You could dump a secret to a public directory.
It's a peculiar enough setup that it might never get exploited by anyone, but that's no reason to not treat it as a security issue.
If you have RPC access, you are assumed to be the user running bitcoind and have full access to the wallet already.