Vulnerability Description
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zstandard | < 1.4.1 |
Related Weaknesses (CWE)
References
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404ExploitIssue TrackingMailing List
- https://github.com/facebook/zstd/issues/1630ExploitIssue TrackingThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2021-24031Vendor Advisory
- https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404ExploitIssue TrackingMailing List
- https://github.com/facebook/zstd/issues/1630ExploitIssue TrackingThird Party Advisory
- https://www.facebook.com/security/advisories/cve-2021-24031Vendor Advisory
FAQ
What is CVE-2021-24031?
CVE-2021-24031 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output fi...
How severe is CVE-2021-24031?
CVE-2021-24031 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-24031?
Check the references section above for vendor advisories and patch information. Affected products include: Facebook Zstandard.