Vulnerability Details : CVE-2021-24031
Potential exploit
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
Products affected by CVE-2021-24031
- cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-24031
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-24031
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-24031
-
During installation, installed file permissions are set to allow anyone to modify those files.Assigned by: nvd@nist.gov (Primary)
-
A product defines a set of insecure permissions that are inherited by objects that are created by the program.Assigned by: cve-assign@fb.com (Secondary)
References for CVE-2021-24031
-
https://www.facebook.com/security/advisories/cve-2021-24031
FacebookVendor Advisory
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
#981404 - compressed file is world readable, while zstd is running - Debian Bug report logsExploit;Issue Tracking;Mailing List;Third Party Advisory
-
https://github.com/facebook/zstd/issues/1630
zstd adds read permissions to files while being compressed or uncompressed · Issue #1630 · facebook/zstd · GitHubExploit;Issue Tracking;Third Party Advisory
Jump to