CVE-2021-24031
Summary
| CVE | CVE-2021-24031 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-03-04 21:15:00 UTC |
| Updated | 2021-04-14 15:28:00 UTC |
| Description | In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties. |
Risk And Classification
Problem Types: CWE-276
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| zstd adds read permissions to files while being compressed or uncompressed · Issue #1630 · facebook/zstd · GitHub | MISC | github.com | Exploit, Issue Tracking, Third Party Advisory |
| #981404 - compressed file is world readable, while zstd is running - Debian Bug report logs | MISC | bugs.debian.org | Exploit, Mailing List, Third Party Advisory |
| MISC | www.facebook.com | Vendor Advisory | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 174840 SUSE Enterprise Linux Security update for zstd (SUSE-SU-2021:0948-1)
- 174859 SUSE Enterprise Linux Security update for zstd (SUSE-SU-2021:0948-1)
- 179948 Debian Security Update for libzstd (CVE-2021-24031)
- 501804 Alpine Linux Security Update for zstd
- 504573 Alpine Linux Security Update for zstd
- 670502 EulerOS Security Update for zstd (EulerOS-SA-2021-2260)
- 670528 EulerOS Security Update for zstd (EulerOS-SA-2021-2286)
- 670732 EulerOS Security Update for zstd (EulerOS-SA-2021-2490)
- 750290 OpenSUSE Security Update for zstd (openSUSE-SU-2021:0481-1)