Vulnerabilites related to facebook - zstandard
Vulnerability from fkie_nvd
Published
2019-07-25 21:15
Modified
2024-11-21 04:21
Severity ?
Summary
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*", matchCriteriaId: "56E5C2FA-164D-43B1-9658-D71EEE840B0F", versionEndExcluding: "1.3.8", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.", }, { lang: "es", value: "Una condición de carrera en las funciones de compresión de un paso (one-pass) de Zstandard anterior a versión 1.3.8, podría permitir a un atacante escribir bytes fuera de límites si es utilizado un búfer de salida más pequeño que el tamaño recomendado .", }, ], id: "CVE-2019-11922", lastModified: "2024-11-21T04:21:59.353", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "MEDIUM", cvssData: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, exploitabilityScore: 8.6, impactScore: 6.4, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 2.2, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2019-07-25T21:15:11.600", references: [ { source: "cve-assign@fb.com", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html", }, { source: "cve-assign@fb.com", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html", }, { source: "cve-assign@fb.com", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html", }, { source: "cve-assign@fb.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", }, { source: "cve-assign@fb.com", url: "https://usn.ubuntu.com/4108-1/", }, { source: "cve-assign@fb.com", tags: [ "Vendor Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2019-11922", }, { source: "cve-assign@fb.com", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://usn.ubuntu.com/4108-1/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2019-11922", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, ], sourceIdentifier: "cve-assign@fb.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-362", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-04 21:15
Modified
2024-11-21 05:52
Severity ?
Summary
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve-assign@fb.com | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 | Exploit, Issue Tracking, Mailing List, Third Party Advisory | |
| cve-assign@fb.com | https://github.com/facebook/zstd/issues/1630 | Exploit, Issue Tracking, Third Party Advisory | |
| cve-assign@fb.com | https://www.facebook.com/security/advisories/cve-2021-24031 | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 | Exploit, Issue Tracking, Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/facebook/zstd/issues/1630 | Exploit, Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.facebook.com/security/advisories/cve-2021-24031 | Vendor Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*", matchCriteriaId: "7BB54F72-0467-43BC-B73A-DA6DC8A55FD9", versionEndExcluding: "1.4.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.", }, { lang: "es", value: "En la utilidad Zstandard command-line versiones anteriores a v1.4.1, los archivos de salida se creaban con permisos predeterminados. Los permisos de archivo correctos (que coincidan con la entrada) solo se establecerán en el momento de la completación. Por lo tanto, los archivos de salida podrían ser leídos o escribibles para personas no deseadas", }, ], id: "CVE-2021-24031", lastModified: "2024-11-21T05:52:14.813", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.1, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-04T21:15:12.743", references: [ { source: "cve-assign@fb.com", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", }, { source: "cve-assign@fb.com", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/issues/1630", }, { source: "cve-assign@fb.com", tags: [ "Vendor Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2021-24031", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Mailing List", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Exploit", "Issue Tracking", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/issues/1630", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2021-24031", }, ], sourceIdentifier: "cve-assign@fb.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-277", }, ], source: "cve-assign@fb.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-276", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2021-03-04 21:15
Modified
2024-11-21 05:52
Severity ?
Summary
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve-assign@fb.com | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 | Patch, Third Party Advisory | |
| cve-assign@fb.com | https://github.com/facebook/zstd/issues/2491 | Issue Tracking, Patch, Third Party Advisory | |
| cve-assign@fb.com | https://www.facebook.com/security/advisories/cve-2021-24032 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/facebook/zstd/issues/2491 | Issue Tracking, Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.facebook.com/security/advisories/cve-2021-24032 | Third Party Advisory |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:facebook:zstandard:*:*:*:*:*:*:*:*", matchCriteriaId: "D09560DA-1F1B-41AA-B96F-DABEE82C04D0", versionEndExcluding: "1.4.9", versionStartIncluding: "1.4.1", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.", }, { lang: "es", value: "A partir de la versión v1.4.1 y anterior a la v1.4.9, debido a una solución incompleta para el CVE-2021-24031, la utilidad de línea de comandos Zstandard creó archivos de salida con permisos predeterminados y restringió esos permisos inmediatamente después. Por lo tanto, los archivos de salida podrían ser momentáneamente legibles o escribibles para personas no deseadas", }, ], id: "CVE-2021-24032", lastModified: "2024-11-21T05:52:14.943", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "LOW", cvssData: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:L/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, exploitabilityScore: 3.4, impactScore: 2.9, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV31: [ { cvssData: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 4.7, baseSeverity: "MEDIUM", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", version: "3.1", }, exploitabilityScore: 1, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2021-03-04T21:15:12.963", references: [ { source: "cve-assign@fb.com", tags: [ "Patch", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", }, { source: "cve-assign@fb.com", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/issues/2491", }, { source: "cve-assign@fb.com", tags: [ "Third Party Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2021-24032", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Patch", "Third Party Advisory", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", "Third Party Advisory", ], url: "https://github.com/facebook/zstd/issues/2491", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Third Party Advisory", ], url: "https://www.facebook.com/security/advisories/cve-2021-24032", }, ], sourceIdentifier: "cve-assign@fb.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-277", }, ], source: "cve-assign@fb.com", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-276", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Vulnerability from fkie_nvd
Published
2023-03-31 20:15
Modified
2025-02-18 18:15
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
References
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:facebook:zstandard:1.4.10:*:*:*:*:*:*:*", matchCriteriaId: "018AE117-915E-4641-8395-E706D0BDBE55", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", }, { lang: "es", value: "Se encontró una vulnerabilidad en zstd v1.4.10, donde un atacante puede proporcionar una cadena vacía como argumento a la herramienta de línea de comando para provocar una saturación del búfer.", }, ], id: "CVE-2022-4899", lastModified: "2025-02-18T18:15:14.023", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, { cvssData: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 3.9, impactScore: 3.6, source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }, published: "2023-03-31T20:15:07.213", references: [ { source: "secalert@redhat.com", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/facebook/zstd/issues/3200", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", }, { source: "secalert@redhat.com", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", }, { source: "secalert@redhat.com", url: "https://security.netapp.com/advisory/ntap-20230725-0005/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "Patch", ], url: "https://github.com/facebook/zstd/issues/3200", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://security.netapp.com/advisory/ntap-20230725-0005/", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-400", }, ], source: "secalert@redhat.com", type: "Primary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "nvd@nist.gov", type: "Secondary", }, { description: [ { lang: "en", value: "CWE-400", }, ], source: "134c704f-9b21-4f2e-91b3-4a467353bcc0", type: "Secondary", }, ], }
cve-2019-11922
Vulnerability from cvelistv5
Published
2019-07-25 20:32
Modified
2024-08-04 23:10
Severity ?
EPSS score ?
Summary
A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
References
| ▼ | URL | Tags |
|---|---|---|
| http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html | vendor-advisory, x_refsource_SUSE | |
| http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html | vendor-advisory, x_refsource_SUSE | |
| https://usn.ubuntu.com/4108-1/ | vendor-advisory, x_refsource_UBUNTU | |
| http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html | vendor-advisory, x_refsource_SUSE | |
| https://www.oracle.com/security-alerts/cpuoct2020.html | x_refsource_MISC | |
| https://www.facebook.com/security/advisories/cve-2019-11922 | x_refsource_CONFIRM | |
| https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-04T23:10:29.677Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "openSUSE-SU-2019:1845", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html", }, { name: "openSUSE-SU-2019:1952", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html", }, { name: "USN-4108-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", "x_transferred", ], url: "https://usn.ubuntu.com/4108-1/", }, { name: "openSUSE-SU-2019:2008", tags: [ "vendor-advisory", "x_refsource_SUSE", "x_transferred", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://www.facebook.com/security/advisories/cve-2019-11922", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Zstandard", vendor: "Facebook", versions: [ { status: "affected", version: "1.3.8", }, { lessThan: "1.3.8", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], dateAssigned: "2019-07-25T00:00:00", descriptions: [ { lang: "en", value: "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.", }, ], problemTypes: [ { descriptions: [ { description: "Out-of-bounds Write (CWE-ID 787)", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2020-10-20T21:14:56", orgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", shortName: "facebook", }, references: [ { name: "openSUSE-SU-2019:1845", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html", }, { name: "openSUSE-SU-2019:1952", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html", }, { name: "USN-4108-1", tags: [ "vendor-advisory", "x_refsource_UBUNTU", ], url: "https://usn.ubuntu.com/4108-1/", }, { name: "openSUSE-SU-2019:2008", tags: [ "vendor-advisory", "x_refsource_SUSE", ], url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html", }, { tags: [ "x_refsource_MISC", ], url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://www.facebook.com/security/advisories/cve-2019-11922", }, { tags: [ "x_refsource_MISC", ], url: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve-assign@fb.com", DATE_ASSIGNED: "2019-07-25", ID: "CVE-2019-11922", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Zstandard", version: { version_data: [ { version_affected: "!=>", version_value: "1.3.8", }, { version_affected: "<", version_value: "1.3.8", }, ], }, }, ], }, vendor_name: "Facebook", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "A race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Out-of-bounds Write (CWE-ID 787)", }, ], }, ], }, references: { reference_data: [ { name: "openSUSE-SU-2019:1845", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00008.html", }, { name: "openSUSE-SU-2019:1952", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00062.html", }, { name: "USN-4108-1", refsource: "UBUNTU", url: "https://usn.ubuntu.com/4108-1/", }, { name: "openSUSE-SU-2019:2008", refsource: "SUSE", url: "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00078.html", }, { name: "https://www.oracle.com/security-alerts/cpuoct2020.html", refsource: "MISC", url: "https://www.oracle.com/security-alerts/cpuoct2020.html", }, { name: "https://www.facebook.com/security/advisories/cve-2019-11922", refsource: "CONFIRM", url: "https://www.facebook.com/security/advisories/cve-2019-11922", }, { name: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", refsource: "MISC", url: "https://github.com/facebook/zstd/pull/1404/commits/3e5cdf1b6a85843e991d7d10f6a2567c15580da0", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", assignerShortName: "facebook", cveId: "CVE-2019-11922", datePublished: "2019-07-25T20:32:44", dateReserved: "2019-05-13T00:00:00", dateUpdated: "2024-08-04T23:10:29.677Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-24032
Vulnerability from cvelistv5
Published
2021-03-04 20:15
Modified
2024-08-03 19:21
Severity ?
EPSS score ?
Summary
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/facebook/zstd/issues/2491 | x_refsource_MISC | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519 | x_refsource_MISC | |
| https://www.facebook.com/security/advisories/cve-2021-24032 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T19:21:17.115Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/facebook/zstd/issues/2491", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.facebook.com/security/advisories/cve-2021-24032", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Zstandard", vendor: "Facebook", versions: [ { lessThan: "unspecified", status: "unaffected", version: "1.4.9", versionType: "custom", }, { lessThan: "unspecified", status: "affected", version: "1.4.1", versionType: "custom", }, { lessThan: "1.4.1", status: "unaffected", version: "unspecified", versionType: "custom", }, ], }, ], dateAssigned: "2021-03-01T00:00:00", descriptions: [ { lang: "en", value: "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-277", description: "Insecure Inherited Permissions (CWE-277)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-04T20:15:21", orgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", shortName: "facebook", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/facebook/zstd/issues/2491", }, { tags: [ "x_refsource_MISC", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", }, { tags: [ "x_refsource_MISC", ], url: "https://www.facebook.com/security/advisories/cve-2021-24032", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve-assign@fb.com", DATE_ASSIGNED: "2021-03-01", ID: "CVE-2021-24032", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Zstandard", version: { version_data: [ { version_affected: "!>=", version_value: "1.4.9", }, { version_affected: ">=", version_value: "1.4.1", }, { version_affected: "!<", version_value: "1.4.1", }, ], }, }, ], }, vendor_name: "Facebook", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Insecure Inherited Permissions (CWE-277)", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/facebook/zstd/issues/2491", refsource: "MISC", url: "https://github.com/facebook/zstd/issues/2491", }, { name: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", refsource: "MISC", url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=982519", }, { name: "https://www.facebook.com/security/advisories/cve-2021-24032", refsource: "MISC", url: "https://www.facebook.com/security/advisories/cve-2021-24032", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", assignerShortName: "facebook", cveId: "CVE-2021-24032", datePublished: "2021-03-04T20:15:21", dateReserved: "2021-01-13T00:00:00", dateUpdated: "2024-08-03T19:21:17.115Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2021-24031
Vulnerability from cvelistv5
Published
2021-03-04 20:15
Modified
2024-08-03 19:21
Severity ?
EPSS score ?
Summary
In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.
References
| ▼ | URL | Tags |
|---|---|---|
| https://github.com/facebook/zstd/issues/1630 | x_refsource_MISC | |
| https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404 | x_refsource_MISC | |
| https://www.facebook.com/security/advisories/cve-2021-24031 | x_refsource_MISC |
Impacted products
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T19:21:17.205Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://github.com/facebook/zstd/issues/1630", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", }, { tags: [ "x_refsource_MISC", "x_transferred", ], url: "https://www.facebook.com/security/advisories/cve-2021-24031", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "Zstandard", vendor: "Facebook", versions: [ { lessThan: "unspecified", status: "unaffected", version: "1.4.1", versionType: "custom", }, { lessThan: "1.4.1", status: "affected", version: "unspecified", versionType: "custom", }, ], }, ], dateAssigned: "2021-03-01T00:00:00", descriptions: [ { lang: "en", value: "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-277", description: "Insecure Inherited Permissions (CWE-277)", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2021-03-04T20:15:21", orgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", shortName: "facebook", }, references: [ { tags: [ "x_refsource_MISC", ], url: "https://github.com/facebook/zstd/issues/1630", }, { tags: [ "x_refsource_MISC", ], url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", }, { tags: [ "x_refsource_MISC", ], url: "https://www.facebook.com/security/advisories/cve-2021-24031", }, ], x_legacyV4Record: { CVE_data_meta: { ASSIGNER: "cve-assign@fb.com", DATE_ASSIGNED: "2021-03-01", ID: "CVE-2021-24031", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "Zstandard", version: { version_data: [ { version_affected: "!>=", version_value: "1.4.1", }, { version_affected: "<", version_value: "1.4.1", }, ], }, }, ], }, vendor_name: "Facebook", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "In the Zstandard command-line utility prior to v1.4.1, output files were created with default permissions. Correct file permissions (matching the input) would only be set at completion time. Output files could therefore be readable or writable to unintended parties.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "Insecure Inherited Permissions (CWE-277)", }, ], }, ], }, references: { reference_data: [ { name: "https://github.com/facebook/zstd/issues/1630", refsource: "MISC", url: "https://github.com/facebook/zstd/issues/1630", }, { name: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", refsource: "MISC", url: "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981404", }, { name: "https://www.facebook.com/security/advisories/cve-2021-24031", refsource: "MISC", url: "https://www.facebook.com/security/advisories/cve-2021-24031", }, ], }, }, }, }, cveMetadata: { assignerOrgId: "4fc57720-52fe-4431-a0fb-3d2c8747b827", assignerShortName: "facebook", cveId: "CVE-2021-24031", datePublished: "2021-03-04T20:15:21", dateReserved: "2021-01-13T00:00:00", dateUpdated: "2024-08-03T19:21:17.205Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2022-4899
Vulnerability from cvelistv5
Published
2023-03-31 00:00
Modified
2025-02-18 17:23
Severity ?
EPSS score ?
Summary
A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-03T01:55:46.209Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { tags: [ "x_transferred", ], url: "https://github.com/facebook/zstd/issues/3200", }, { tags: [ "x_transferred", ], url: "https://security.netapp.com/advisory/ntap-20230725-0005/", }, { name: "FEDORA-2023-9ccff0b1b7", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", }, { name: "FEDORA-2023-492105ed08", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", }, { name: "FEDORA-2023-a9283d639f", tags: [ "vendor-advisory", "x_transferred", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", }, ], title: "CVE Program Container", }, { metrics: [ { cvssV3_1: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, }, { other: { content: { id: "CVE-2022-4899", options: [ { Exploitation: "none", }, { Automatable: "yes", }, { "Technical Impact": "partial", }, ], role: "CISA Coordinator", timestamp: "2025-02-18T17:23:19.192469Z", version: "2.0.3", }, type: "ssvc", }, }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400 Uncontrolled Resource Consumption", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2025-02-18T17:23:22.964Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, title: "CISA ADP Vulnrichment", }, ], cna: { affected: [ { product: "zstd", vendor: "n/a", versions: [ { status: "affected", version: "zstd 1.5.4", }, ], }, ], descriptions: [ { lang: "en", value: "A vulnerability was found in zstd v1.4.10, where an attacker can supply empty string as an argument to the command line tool to cause buffer overrun.", }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-400", description: "CWE-400", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2023-09-16T03:06:48.479Z", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { url: "https://github.com/facebook/zstd/issues/3200", }, { url: "https://security.netapp.com/advisory/ntap-20230725-0005/", }, { name: "FEDORA-2023-9ccff0b1b7", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C63HAGVLQA6FJNDCHR7CNZZL6VSLILB2/", }, { name: "FEDORA-2023-492105ed08", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JEHRBBYYTPA4DETOM5XAKGCP37NUTLOA/", }, { name: "FEDORA-2023-a9283d639f", tags: [ "vendor-advisory", ], url: "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QYLDK6ODVC4LJSDULLX6Q2YHTFOWABCN/", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2022-4899", datePublished: "2023-03-31T00:00:00.000Z", dateReserved: "2023-01-31T00:00:00.000Z", dateUpdated: "2025-02-18T17:23:22.964Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }