CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-24032 – zstd: Race condition allows attacker to access world-readable destination file
https://notcve.org/view.php?id=CVE-2021-24032
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. A partir de la versión v1.4.1 y anterior a la v1.4.9, debido a una solución incompleta para el CVE-2021-24031, la utilidad de línea de comandos Zstandard creó archivos de salida con permisos predeterminados y restringió esos permisos inmediatamente después. Por lo tanto, los archivos de salida podrían ser momentáneamente legibles o escribibles para personas no deseadas A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled). • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 https://github.com/facebook/zstd/issues/2491 https://www.facebook.com/security/advisories/cve-2021-24032 https://access.redhat.com/security/cve/CVE-2021-24032 https://bugzilla.redhat.com/show_bug.cgi?id=1928090 • CWE-276: Incorrect Default Permissions CWE-277: Insecure Inherited Permissions CWE-281: Improper Preservation of Permissions •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2021-24031
https://notcve.org/view.php?id=CVE-2021-24031
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. En la utilidad Zstandard command-line versiones anteriores a v1.4.1, los archivos de salida se creaban con permisos predeterminados. Los permisos de archivo correctos (que coincidan con la entrada) solo se establecerán en el momento de la completación. • https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 https://github.com/facebook/zstd/issues/1630 https://www.facebook.com/security/advisories/cve-2021-24031 • CWE-276: Incorrect Default Permissions CWE-277: Insecure Inherited Permissions •