CPANSA-Sereal-Decoder-2021-24031-zstd: Sereal-Decoder vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2021-03-04T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2021-03-04T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	5.5	Severity	Medium
Original language		Language	en
Also referred to

Vulnerability Description

In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.

Vulnerabilities

CVE-2021-24031

Vulnerability Description

Weakness	CWE-277 : Insecure Inherited Permissions

Product status

Known affected

Product

Score

Sereal-Decoder greater than or equal 4.001_001 and less than 4.009_002

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.1	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N	5.5	Medium
2.0	AV:L/AC:L/Au:N/C:P/I:N/A:N	2.1	Low

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Sereal-Decoder-2021-24031-zstd JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2021/cpansa-sereal-decoder-2021-24031-zstd.json
https://www.facebook.com/security/advisories/cve-2021-24031 external
https://www.facebook.com/security/advisories/cve-2021-24031
https://github.com/facebook/zstd/issues/1630 external
https://github.com/facebook/zstd/issues/1630
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 external
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404
CVE-2021-24031 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2021-24031

Revision history

Version	Date of the revision	Summary of the revision
1	Thu Mar 4 00:00:00 2021	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/