{"api_version":"1","generated_at":"2026-04-22T23:31:38+00:00","cve":"CVE-2021-24031","urls":{"html":"https://cve.report/CVE-2021-24031","api":"https://cve.report/api/cve/CVE-2021-24031.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-24031","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-24031"},"summary":{"title":"CVE-2021-24031","description":"In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.","state":"PUBLIC","assigner":"cve-assign@fb.com","published_at":"2021-03-04 21:15:00","updated_at":"2021-04-14 15:28:00"},"problem_types":["CWE-276"],"metrics":[],"references":[{"url":"https://github.com/facebook/zstd/issues/1630","name":"https://github.com/facebook/zstd/issues/1630","refsource":"MISC","tags":["Exploit","Issue Tracking","Third Party Advisory"],"title":"zstd adds read permissions to files while being compressed or uncompressed · Issue #1630 · facebook/zstd · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404","name":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404","refsource":"MISC","tags":["Exploit","Mailing List","Third Party Advisory"],"title":"#981404 - compressed file is world readable, while zstd is running - Debian Bug report logs","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.facebook.com/security/advisories/cve-2021-24031","name":"https://www.facebook.com/security/advisories/cve-2021-24031","refsource":"MISC","tags":["Vendor Advisory"],"title":"Facebook","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-24031","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24031","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"24031","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"facebook","cpe5":"zstandard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"24031","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"facebook","cpe5":"zstandard","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-24031","qid":"174840","title":"SUSE Enterprise Linux Security update for zstd (SUSE-SU-2021:0948-1)"},{"cve":"CVE-2021-24031","qid":"174859","title":"SUSE Enterprise Linux Security update for zstd (SUSE-SU-2021:0948-1)"},{"cve":"CVE-2021-24031","qid":"179948","title":"Debian Security Update for libzstd (CVE-2021-24031)"},{"cve":"CVE-2021-24031","qid":"501804","title":"Alpine Linux Security Update for zstd"},{"cve":"CVE-2021-24031","qid":"504573","title":"Alpine Linux Security Update for zstd"},{"cve":"CVE-2021-24031","qid":"670502","title":"EulerOS Security Update for zstd (EulerOS-SA-2021-2260)"},{"cve":"CVE-2021-24031","qid":"670528","title":"EulerOS Security Update for zstd (EulerOS-SA-2021-2286)"},{"cve":"CVE-2021-24031","qid":"670732","title":"EulerOS Security Update for zstd (EulerOS-SA-2021-2490)"},{"cve":"CVE-2021-24031","qid":"750290","title":"OpenSUSE Security Update for zstd (openSUSE-SU-2021:0481-1)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve-assign@fb.com","DATE_ASSIGNED":"2021-03-01","ID":"CVE-2021-24031","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Facebook","product":{"product_data":[{"product_name":"Zstandard","version":{"version_data":[{"version_affected":"!>=","version_value":"1.4.1"},{"version_affected":"<","version_value":"1.4.1"}]}}]}}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Insecure Inherited Permissions (CWE-277)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://github.com/facebook/zstd/issues/1630","url":"https://github.com/facebook/zstd/issues/1630"},{"refsource":"MISC","name":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404","url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404"},{"refsource":"MISC","name":"https://www.facebook.com/security/advisories/cve-2021-24031","url":"https://www.facebook.com/security/advisories/cve-2021-24031"}]}},"nvd":{"publishedDate":"2021-03-04 21:15:00","lastModifiedDate":"2021-04-14 15:28:00","problem_types":["CWE-276"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":1.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*","versionEndExcluding":"1.4.1","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"24031","Ordinal":"198790","Title":"CVE-2021-24031","CVE":"CVE-2021-24031","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"24031","Ordinal":"1","NoteData":"In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"24031","Ordinal":"2","NoteData":"2021-03-04","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"24031","Ordinal":"3","NoteData":"2021-03-04","Type":"Other","Title":"Modified"}]}}}