CVE-2021-24032 - Vulnerability Details - OpenCVE

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Facebook	Zstandard
Redhat	Amq Streams

Configuration 1 [-]

cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat AMQ Streams 2.7.0
	cpe:/a:redhat:amq_streams:2	RHSA-2024:3527	2024-05-30T00:00:00Z

References

Link	Providers
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
https://github.com/facebook/zstd/issues/2491
https://nvd.nist.gov/vuln/detail/CVE-2021-24032
https://www.cve.org/CVERecord?id=CVE-2021-24032
https://www.facebook.com/security/advisories/cve-2021-24032

History

No history.

MITRE

Status: PUBLISHED

Assigner: facebook

Published: 2021-03-04T20:15:21

Updated: 2024-08-03T19:21:17.115Z

Reserved: 2021-01-13T00:00:00

Link: CVE-2021-24032

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-03-04T21:15:12.963

Modified: 2024-11-21T05:52:14.943

Link: CVE-2021-24032

Redhat

Severity : Low

Publid Date: 2021-02-11T00:00:00Z

Links: CVE-2021-24032 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Zstandard", "vendor": "Facebook", "versions": [{"lessThan": "unspecified", "status": "unaffected", "version": "1.4.9", "versionType": "custom"}, {"lessThan": "unspecified", "status": "affected", "version": "1.4.1", "versionType": "custom"}, {"lessThan": "1.4.1", "status": "unaffected", "version": "unspecified", "versionType": "custom"}]}], "dateAssigned": "2021-03-01T00:00:00", "descriptions": [{"lang": "en", "value": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-277", "description": "Insecure Inherited Permissions (CWE-277)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-03-04T20:15:21", "orgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "shortName": "facebook"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/facebook/zstd/issues/2491"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"}, {"tags": ["x_refsource_MISC"], "url": "https://www.facebook.com/security/advisories/cve-2021-24032"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@fb.com", "DATE_ASSIGNED": "2021-03-01", "ID": "CVE-2021-24032", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Zstandard", "version": {"version_data": [{"version_affected": "!>=", "version_value": "1.4.9"}, {"version_affected": ">=", "version_value": "1.4.1"}, {"version_affected": "!<", "version_value": "1.4.1"}]}}]}, "vendor_name": "Facebook"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Insecure Inherited Permissions (CWE-277)"}]}]}, "references": {"reference_data": [{"name": "https://github.com/facebook/zstd/issues/2491", "refsource": "MISC", "url": "https://github.com/facebook/zstd/issues/2491"}, {"name": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", "refsource": "MISC", "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"}, {"name": "https://www.facebook.com/security/advisories/cve-2021-24032", "refsource": "MISC", "url": "https://www.facebook.com/security/advisories/cve-2021-24032"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T19:21:17.115Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/facebook/zstd/issues/2491"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.facebook.com/security/advisories/cve-2021-24032"}]}]}, "cveMetadata": {"assignerOrgId": "4fc57720-52fe-4431-a0fb-3d2c8747b827", "assignerShortName": "facebook", "cveId": "CVE-2021-24032", "datePublished": "2021-03-04T20:15:21", "dateReserved": "2021-01-13T00:00:00", "dateUpdated": "2024-08-03T19:21:17.115Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*", "matchCriteriaId": "D09560DA-1F1B-41AA-B96F-DABEE82C04D0", "versionEndExcluding": "1.4.9", "versionStartIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties."}, {"lang": "es", "value": "A partir de la versi\u00f3n v1.4.1 y anterior a la v1.4.9, debido a una soluci\u00f3n incompleta para el CVE-2021-24031, la utilidad de l\u00ednea de comandos Zstandard cre\u00f3 archivos de salida con permisos predeterminados y restringi\u00f3 esos permisos inmediatamente despu\u00e9s. Por lo tanto, los archivos de salida podr\u00edan ser moment\u00e1neamente legibles o escribibles para personas no deseadas"}], "id": "CVE-2021-24032", "lastModified": "2024-11-21T05:52:14.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-03-04T21:15:12.963", "references": [{"source": "cve-assign@fb.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"}, {"source": "cve-assign@fb.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/facebook/zstd/issues/2491"}, {"source": "cve-assign@fb.com", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2021-24032"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/facebook/zstd/issues/2491"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.facebook.com/security/advisories/cve-2021-24032"}], "sourceIdentifier": "cve-assign@fb.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-277"}], "source": "cve-assign@fb.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-276"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3527", "cpe": "cpe:/a:redhat:amq_streams:2", "product_name": "Red Hat AMQ Streams 2.7.0", "release_date": "2024-05-30T00:00:00Z"}], "bugzilla": {"description": "zstd: Race condition allows attacker to access world-readable destination file", "id": "1928090", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1928090"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-281", "details": ["Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.", "A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled)."], "name": "CVE-2021-24032", "package_state": [{"cpe": "cpe:/a:redhat:advanced_cluster_security:3", "fix_state": "Affected", "package_name": "rox", "product_name": "Red Hat Advanced Cluster Security 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ceph", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "libzstd", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "zstd", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "zstd", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Out of support scope", "package_name": "zstd", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "zstd", "product_name": "Red Hat OpenStack Platform 16.1"}], "public_date": "2021-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-24032\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-24032"], "statement": "In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life.\nThis vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.", "threat_severity": "Low"}