Incorrect Default Permissions Affecting libzstd package, versions <1.4.8+dfsg-2



    Attack Complexity High
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (17th percentile)
Expand this section
4.7 medium
Expand this section
6.2 medium
Expand this section
Red Hat
5.5 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN11-LIBZSTD-1080898
  • published 2 Mar 2021
  • disclosed 4 Mar 2021

How to fix?

Upgrade Debian:11 libzstd to version 1.4.8+dfsg-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream libzstd package and not the libzstd package as distributed by Debian. See How to fix? for Debian:11 relevant fixed versions and status.

Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.