Incomplete Fix in Zstandard Utility Leading to File Permission Issues
CVE-2021-24032

4.7MEDIUM

Key Information:

Vendor

Facebook

Status
Zstandard
Vendor
CVE Published:
4 March 2021

What is CVE-2021-24032?

The Zstandard command-line utility from Facebook was found to have a vulnerability stemming from an incomplete fix related to earlier issues. Versions from 1.4.1 to 1.4.8 allowed the creation of output files with default permissions that could be temporarily accessible to unauthorized users. As a result, sensitive data might be at risk during the brief period before file permissions were restricted. Users of the affected versions are advised to update to the latest release to mitigate these risks.

Affected Version(s)

Zstandard 1.4.1

Zstandard 1.4.9

Zstandard < 1.4.1

References

https://github.com/facebook/zstd/issues/2491
x_refsource_MISC
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
x_refsource_MISC
https://www.facebook.com/security/advisories/cve-2021-24032
x_refsource_MISC

CVSS V3.1

Score:
4.7
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.