// For flags

CVE-2021-24032

zstd: Race condition allows attacker to access world-readable destination file

Severity Score

4.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

A partir de la versión v1.4.1 y anterior a la v1.4.9, debido a una solución incompleta para el CVE-2021-24031, la utilidad de línea de comandos Zstandard creó archivos de salida con permisos predeterminados y restringió esos permisos inmediatamente después. Por lo tanto, los archivos de salida podrían ser momentáneamente legibles o escribibles para personas no deseadas

A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-01-13 CVE Reserved
  • 2021-03-04 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-08-03 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-276: Incorrect Default Permissions
  • CWE-277: Insecure Inherited Permissions
  • CWE-281: Improper Preservation of Permissions
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Facebook
Search vendor "Facebook"
 Zstandard
Search vendor "Facebook" for product "Zstandard"
 >= 1.4.1 < 1.4.9
Search vendor "Facebook" for product "Zstandard" and version " >= 1.4.1 < 1.4.9"
-
Affected