Security Vulnerability in Default Builds of rpm-ostree Exposes Sensitive Authentication Data

CVE-2024-2905

6.2MEDIUM

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 9.2 Extended Update Support; Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Openshift Container Platform 4
Vendor: CVE Published:; 25 April 2024

Summary

A security vulnerability has been discovered within rpm-ostree, pertaining to the /etc/shadow file in default builds having the world-readable bit enabled. This issue arises from the default permissions being set at a higher level than recommended, potentially exposing sensitive authentication data to unauthorized access.

Affected Version(s)

Red Hat Enterprise Linux 9.2 Extended Update Support <= 0:2023.3-2.el9_2

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 6.2 - (MEDIUM)
May 28, 2024
Vulnerability published.
Apr 25, 2024
Reported to Red Hat.
Mar 26, 2024

Collectors

NVD DatabaseMitre Database