CVE-2021-24032 — Incorrect Default Permissions in Zstandard

CWE-276 — Incorrect Default Permissions CWE-281 — Improper Preservation of Permissions8 documents7 sources

Severity

4.7MEDIUMNVD

OSV5.5

EPSS

0.0%

top 94.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Facebook Zstandard Debian Libzstd Msrc Azl3 Ceph 18.2.2-5 ON Azure Linux 3.0 +8 more

Timeline

PublishedMar 4

Latest updateNov 9

Description

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.0 | Impact: 3.6

Affected Packages11 packages

▶NVDfacebook/zstandard1.4.1 — 1.4.9

▶debiandebian/libzstd< libzstd 1.4.8+dfsg-2 (bookworm)

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

▶msrcmsrc/cbl_mariner_2.0_arm

Patches

Patch: bugs.debian.org ↗Patch: github.com ↗Patch: bugs.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-ffqj-7pgc-cmj5: Beginning in v1↗2022-05-24

▶

OSV

CVE-2021-24032: Beginning in v1↗2021-03-04

▶

📋Vendor Advisories

Ubuntu

Zstandard vulnerabilities↗2022-11-09

▶

Microsoft

Beginning in v1.4.1 and prior to v1.4.9 due to an incomplete fix for CVE-2021-24031 the Zstandard command-line utility created output files with default permissions and restricted those permissions im↗2021-03-09

▶

Ubuntu

libzstd vulnerabilities↗2021-03-08

▶

Red Hat

zstd: Race condition allows attacker to access world-readable destination file↗2021-02-11

▶

Debian

CVE-2021-24032: libzstd - Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-2...↗2021

▶