CPANSA-Sereal-Encoder-2021-24032-zstd: Sereal-Encoder vulnerability

Publisher	giterlizzi	Document category	csaf_security_advisory
Initial release date	2021-03-04T00:00:00	Engine	CSAF Perl Toolkit 0.25
Current release date	2021-03-04T00:00:00	Build Date
Current version	1	Status	final
CVSS v3.1 Base Score	4.7	Severity	Medium
Original language		Language	en
Also referred to

Vulnerability Description

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.

Vulnerabilities

CVE-2021-24032

Vulnerability Description

Weakness	CWE-277 : Insecure Inherited Permissions

Product status

Known affected

Product

Score

Sereal-Encoder greater than or equal 4.019 and less than 5.002

CVSS Version	CVSS Vector	CVSS Base Score	CVSS Base Severity
3.1	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N	4.7	Medium
2.0	AV:L/AC:M/Au:N/C:P/I:N/A:N	1.9	Low

giterlizzi

Namespace: https://github.com/giterlizzi/

gdt@cpan.org

References

CPANSA-Sereal-Encoder-2021-24032-zstd JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2021/cpansa-sereal-encoder-2021-24032-zstd.json
https://github.com/facebook/zstd/issues/2491 external
https://github.com/facebook/zstd/issues/2491
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 external
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519
https://www.facebook.com/security/advisories/cve-2021-24032 external
https://www.facebook.com/security/advisories/cve-2021-24032
CVE-2021-24032 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2021-24032

Revision history

Version	Date of the revision	Summary of the revision
1	Thu Mar 4 00:00:00 2021	First release

Sharing rules

TLP:WHITE
For the TLP version see: https://www.first.org/tlp/