CVE-2021-24031

low-risk
Published 2021-03-04

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

Do I need to act?

-
0.07% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10 Medium
LOCAL / LOW complexity

Affected Products (1)

Zstandard

Affected Vendors

Facebook

References (6)

Exploit https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
Exploit https://github.com/facebook/zstd/issues/1630
Vendor Advisory https://www.facebook.com/security/advisories/cve-2021-24031
Exploit https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
Exploit https://github.com/facebook/zstd/issues/1630
Vendor Advisory https://www.facebook.com/security/advisories/cve-2021-24031
23
/ 100
low-risk
Severity 18/34 · Moderate
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal