一、漏洞信息
漏洞编号:CVE-2021-24032
漏洞归属组件:Zstandard
漏洞归属的版本:1.4.4
CVSS V3.0分值:
BaseScore:9.1 Critical
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
漏洞简述:
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
漏洞公开时间:2021-03-05 05:15
漏洞创建时间:2021-03-10 21:02:01
漏洞详情参考链接:
https://nvd.nist.gov/vuln/detail/CVE-2021-24032
漏洞分析指导链接:
https://gitee.com/opengauss/security/blob/master/cve/manual.md
二、漏洞分析结构反馈
影响性分析说明:
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
openGauss评分:
9.1
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
受影响版本排查(受影响/不受影响):
1.2.0.0:受影响
2.master:受影响
@
issue处理注意事项:
1. 当前issue受影响的分支提交pr时, 须在pr描述中填写当前issue编号进行关联, 否则无法关闭当前issue;
2. 模板内容需要填写完整, 无论是受影响或者不受影响都需要填写完整内容,未引入的分支不需要填写, 否则无法关闭当前issue;
3. 以下为模板中需要填写完整的内容, 请复制到评论区回复, 注: 内容的标题名称(影响性分析说明, openGauss评分, 受影响版本排查(受影响/不受影响))不能省略,省略后cve-manager将无法正常解析填写内容.
影响性分析说明:
openGauss评分: (评分和向量)
受影响版本排查(受影响/不受影响):
issue处理具体操作请参考:
https://gitee.com/openeuler/cve-manager/blob/master/doc/md/manual.md
pr关联issue具体操作请参考:
https://gitee.com/help/articles/4142
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
Hey @opengauss-bot, Welcome to openGauss Community.
All of the projects in openGauss Community are maintained by @opengauss-bot.
That means the developers can comment below every pull request or issue to trigger Bot Commands.
Please follow instructions at https://gitee.com/opengauss/community/blob/master/contributors/command.en.md to find the details.
jianfenglee 请完成以下操作:
状态 | 需分析 | 内容 |
---|---|---|
待分析 | 影响性分析说明 | 影响性分析说明 没有填写或按正确格式填写 |
已分析 | openGaussScore | 0 |
已分析 | openGaussVector | |
已分析 | 受影响版本排查 |
请确认分析内容的准确性,待分析内容请填写完整,否则将无法关闭当前issue.
影响性分析说明:
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
openGauss评分:
BaseScore:9.1 Critical
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
受影响版本排查(受影响/不受影响):
1.2.0.0:受影响
2.master:受影响
@buter openGaussScore没有填写或正确填写(0-10)
影响性分析说明:
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
openGauss评分: (评分和向量):
BaseScore:9.1 Critical
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
受影响版本排查(受影响/不受影响):
1.2.0.0:受影响
2.master:受影响
@lijianfeng 经过 cve-manager 解析, 已分析的内容如下表所示:
状态 | 需分析 | 内容 |
---|---|---|
已分析 | 影响性分析说明 | Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. |
已分析 | openGaussScore | 9.1 |
已分析 | openGaussVector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
已分析 | 受影响版本排查 | 2.0.0:受影响,master:受影响 |
请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.
/approve
@lijianfeng
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I3AVOI:CVE-2021-24032
受影响分支: 2.0.0
具体操作参考: https://gitee.com/help/articles/4142
@lijianfeng
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I3AVOI:CVE-2021-24032
受影响分支: 2.0.0
具体操作参考: https://gitee.com/help/articles/4142
/close
this issue is closed by: @buter.
@lijianfeng
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I3AVOI:CVE-2021-24032
受影响分支: 2.0.0
具体操作参考: https://gitee.com/help/articles/4142
/close
this issue is closed by: @buter.
@lijianfeng
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I3AVOI:CVE-2021-24032
受影响分支: 2.0.0
具体操作参考: https://gitee.com/help/articles/4142
/approve
@lijianfeng
关闭issue前,需要将受影响的分支在合并pr时关联上当前issue编号: #I3AVOI:CVE-2021-24032
受影响分支: 2.0.0
具体操作参考: https://gitee.com/help/articles/4142
/approve
@zhangxubo maintainer具有通过(/approve或者/close)关闭issue, 否则请通过issue页面按钮关闭issue!
/approve
@buter 你已审核模板内容, cve-manager 将关闭issue!
影响性分析说明:
Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties.
openGauss评分: (评分和向量):
BaseScore:9.1 Critical
Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
受影响版本排查(受影响/不受影响):
1.2.0.0:受影响
2.master:受影响
@lijianfeng 经过 cve-manager 解析, 已分析的内容如下表所示:
状态 | 需分析 | 内容 |
---|---|---|
已分析 | 影响性分析说明 | Beginning in v1.4.1 and prior to v1.4.9, due to an incomplete fix for CVE-2021-24031, the Zstandard command-line utility created output files with default permissions and restricted those permissions immediately afterwards. Output files could therefore momentarily be readable or writable to unintended parties. |
已分析 | openGaussScore | 9.1 |
已分析 | openGaussVector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
已分析 | 受影响版本排查 | 2.0.0:受影响,master:受影响 |
请确认分析内容的准确性, 确认无误后, 您可以进行后续步骤, 否则您可以继续分析.
登录 后才可以发表评论