CVE-2021-24031Insecure Inherited Permissions in Zstandard

CWE-277Insecure Inherited PermissionsCWE-276Incorrect Default PermissionsCWE-281Improper Preservation of Permissions15 documents8 sources
Severity
5.5MEDIUMNVD
NVD4.7
EPSS
0.1%
top 77.79%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
11
Facebook ZstandardDebian LibzstdMsrc Azl3 Ceph 18.2.2-5 ON Azure Linux 3.0+8 more
Timeline
PublishedMar 4
Latest updateJan 10

Description

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages12 packages

CVEListV5facebook/zstandard1.4.1unspecified
NVDfacebook/zstandard1.4.11.4.9+1
debiandebian/libzstd< libzstd 1.4.8+dfsg-2 (bookworm)+1

🔴Vulnerability Details

4
GHSA
GHSA-ffqj-7pgc-cmj5: Beginning in v12022-05-24
GHSA
GHSA-5mqj-v3fr-pg3x: In the Zstandard command-line utility prior to v12022-05-24
OSV
CVE-2021-24031: In the Zstandard command-line utility prior to v12021-03-04
OSV
CVE-2021-24032: Beginning in v12021-03-04

📋Vendor Advisories

7
Ubuntu
Zstandard vulnerabilities2022-11-09
Microsoft
Beginning in v1.4.1 and prior to v1.4.9 due to an incomplete fix for CVE-2021-24031 the Zstandard command-line utility created output files with default permissions and restricted those permissions im2021-03-09
Ubuntu
libzstd vulnerabilities2021-03-08
Red Hat
zstd: Race condition allows attacker to access world-readable destination file2021-02-11
Red Hat
zstd: adds read permissions to files while being compressed or uncompressed2021-02-11

🕵️Threat Intelligence

2
Trailofbits
Another prolific year of open-source contributions2023-01-10
Trailofbits
Another prolific year of open-source contributions2023-01-10