CVE-2021-24032
zstd: Race condition allows attacker to access world-readable destination file
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
A partir de la versión v1.4.1 y anterior a la v1.4.9, debido a una solución incompleta para el CVE-2021-24031, la utilidad de línea de comandos Zstandard creó archivos de salida con permisos predeterminados y restringió esos permisos inmediatamente después. Por lo tanto, los archivos de salida podrían ser momentáneamente legibles o escribibles para personas no deseadas
A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-01-13 CVE Reserved
- 2021-03-04 CVE Published
- 2023-03-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-276: Incorrect Default Permissions
- CWE-277: Insecure Inherited Permissions
- CWE-281: Improper Preservation of Permissions
CAPEC
References (5)
URL | Tag | Source |
---|---|---|
https://www.facebook.com/security/advisories/cve-2021-24032 | Third Party Advisory |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 | 2021-04-28 | |
https://github.com/facebook/zstd/issues/2491 | 2021-04-28 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2021-24032 | 2024-05-30 | |
https://bugzilla.redhat.com/show_bug.cgi?id=1928090 | 2024-05-30 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Facebook Search vendor "Facebook" | Zstandard Search vendor "Facebook" for product "Zstandard" | >= 1.4.1 < 1.4.9 Search vendor "Facebook" for product "Zstandard" and version " >= 1.4.1 < 1.4.9" | - |
Affected
|