CVE-2021-24031
Published: 10 February 2021
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
Priority
Status
Package | Release | Status |
---|---|---|
libzstd Launchpad, Ubuntu, Debian |
impish |
Not vulnerable
(1.4.8+dfsg-1)
|
jammy |
Not vulnerable
(1.4.8+dfsg-1)
|
|
lunar |
Not vulnerable
(1.4.8+dfsg-1)
|
|
upstream |
Released
(1.4.8+dfsg-1)
|
|
xenial |
Released
(1.3.1+dfsg-1~ubuntu0.16.04.1+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
trusty |
Does not exist
|
|
hirsute |
Not vulnerable
(1.4.8+dfsg-1)
|
|
bionic |
Released
(1.3.3+dfsg-2ubuntu1.2)
|
|
focal |
Released
(1.4.4+dfsg-3ubuntu0.1)
|
|
groovy |
Released
(1.4.5+dfsg-4ubuntu0.1)
|
|
kinetic |
Not vulnerable
(1.4.8+dfsg-1)
|
|
Patches: upstream: https://github.com/facebook/zstd/pull/1644/commits/3968160a916a759c3d3418da533e1b4f8b795343 upstream: https://github.com/facebook/zstd/pull/1644/commits/af80f6dfacafcc2c916ecd57731107221e1f9986 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |