Описание
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
A flaw was found in zstd. While the final file mode is reflective of the input file, when compressing or uncompressing, the file can temporarily gain greater permissions than the input and potentially leading to security issues (especially if large files are being handled).
Отчет
In OpenShift Container Platform (OCP) the zstd package was delivered in OCP 4.3 which is already end of life. This vulnerability can be considered low severity rather than moderate due to the fact that the elevated file permissions are only temporary and only exist during the compression or decompression process. Once the operation completes, the file permissions revert to their intended state, mirroring those of the input file. The risk is further minimized by the fact that the exposure window is brief, and the elevated permissions are not persistent. Additionally, the issue only arises during the processing of files, and only those with larger sizes or more involved operations would be at risk.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Advanced Cluster Security 3 | rox | Affected | ||
| Red Hat Ceph Storage 3 | ceph | Affected | ||
| Red Hat Ceph Storage 7 | libzstd | Affected | ||
| Red Hat Enterprise Linux 8 | zstd | Fix deferred | ||
| Red Hat Enterprise Linux 9 | zstd | Not affected | ||
| Red Hat OpenShift Container Platform 4 | zstd | Out of support scope | ||
| Red Hat OpenStack Platform 16.1 | zstd | Not affected | ||
| Red Hat AMQ Streams 2.7.0 | Fixed | RHSA-2024:3527 | 30.05.2024 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for ...
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
EPSS
5.5 Medium
CVSS3