CVE-2021-24032 - log back

CVE-2021-24032 edited at 04 Mar 2021 23:51:26
References
+ https://www.facebook.com/security/advisories/cve-2021-24032
https://github.com/facebook/zstd/issues/2491
- https://github.com/facebook/zstd/issues/1630
https://github.com/facebook/zstd/pull/2495
https://github.com/facebook/zstd/commit/a2adc6df9f44ca9b180872e18528fd236e8a4d20
CVE-2021-24032 edited at 04 Mar 2021 23:49:56
Description
- A security issue was found in zstd before version 1.4.9. During compression and decompression, files were created with the default umask before tightening the file permissions to 0600. By exploiting this race condition, attackers could read or write files they would otherwise not be allowed to access.
+ Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
CVE-2021-24032 edited at 02 Mar 2021 09:04:00
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Local
Type
- Unknown
+ Access restriction bypass
Description
+ A security issue was found in zstd before version 1.4.9. During compression and decompression, files were created with the default umask before tightening the file permissions to 0600. By exploiting this race condition, attackers could read or write files they would otherwise not be allowed to access.
References
+ https://github.com/facebook/zstd/issues/2491
+ https://github.com/facebook/zstd/issues/1630
+ https://github.com/facebook/zstd/pull/2495
+ https://github.com/facebook/zstd/commit/a2adc6df9f44ca9b180872e18528fd236e8a4d20
Notes
CVE-2021-24032 created at 02 Mar 2021 08:53:03