#VU51639 Incorrect default permissions in Zstandard - CVE-2021-24031

Cybersecurity Help s.r.o.

Published: 2021-03-23

Vulnerability identifier: #VU51639

Vulnerability risk: High

CVSSv4.0: 8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2021-24031

CWE-ID: CWE-276

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Zstandard
Universal components / Libraries / Libraries used by multiple products

Vendor: Facebook Inc.

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to incorrect default permissions for files and folders that are set by the application within the command-line utility. A remote attacker can view contents of files and directories or modify them.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Zstandard: 1.4.0

External links
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
https://github.com/facebook/zstd/issues/1630
https://www.facebook.com/security/advisories/cve-2021-24031

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for libzstd

openEuler update for zstd

SUSE update for zstd

Multiple vulnerabilities in Cloud Foundry cflinuxfs3 and CF Deployment

Ubuntu update for libzstd

Incorrect default permissions in Facebook Zstandard