Configuration File Permission Flaw in GRUB2 by Red Hat
CVE-2021-3981

3.3LOW

Key Information:

Vendor
Gnu
Status
Grub2
Vendor
CVE Published:
8 March 2022

Summary

A security issue has been identified in the GRUB2 bootloader where its configuration file (grub.cfg) is created with incorrect permissions, allowing non-privileged users to read potentially sensitive content, including encrypted passwords. While a fix has been proposed upstream, no patched version has yet been released for user systems. This presents a confidentiality risk as unauthorized access to these details could compromise system security.

Affected Version(s)

grub2 grub2 2.06 and previous versions

References

https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
https://bugzilla.redhat.com/show_bug.cgi?id=2024170
x_refsource_MISC
https://security.gentoo.org/glsa/202209-12
vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.