CVE-2013-4577 — Grub2 vulnerability

CWE-2645 documents5 sources

Severity

2.1LOWNVD

EPSS

0.2%

top 63.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

GNU Grub2 Debian Grub2

Timeline

PublishedMay 12

Latest updateMay 17

Description

A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file.

CVSS vector

AV:L/AC:L/C:P/I:N/A:NExploitability: 3.9 | Impact: 2.9

Affected Packages2 packages

▶debiandebian/grub2< grub2 2.00-20 (bookworm)

▶Debiangnu/grub2< 2.00-20+3

Patches

Patch: seclists.org ↗Patch: seclists.org ↗Patch: seclists.org ↗

🔴Vulnerability Details

GHSA

GHSA-2mm6-f25m-73r7: A certain Debian patch for GNU GRUB uses world-readable permissions for grub↗2022-05-17

▶

OSV

CVE-2013-4577: A certain Debian patch for GNU GRUB uses world-readable permissions for grub↗2014-05-12

▶

📋Vendor Advisories

Debian

CVE-2013-4577: grub2 - A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg...↗2013

▶

Red Hat

CVE-2013-4577: A certain Debian patch for GNU GRUB uses world-readable permissions for grub↗

▶