CVE-2016-8637 — Incorrect Permission Assignment in Project Dracut
CWE-732 — Incorrect Permission AssignmentCWE-200 — Sensitive Information Exposure10 documents6 sources
Severity
7.8HIGHNVD
EPSS
0.1%
top 77.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 1
Latest updateMay 13
Description
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials.
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9
Affected Packages4 packages
Patches
🔴Vulnerability Details
2GHSA▶
GHSA-wf9g-696p-j466: A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio'↗2022-05-13
OSV▶
CVE-2016-8637: A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio'↗2018-08-01
📋Vendor Advisories
2💬Community
5Bugzilla▶
CVE-2019-13179 calamares: incorrect permission leads to disclosure of decryption keys for LUKS container↗2019-07-03
Bugzilla▶
CVE-2019-13179 calamares: incorrect permission leads to disclosure of decryption keys for LUKS container [fedora-all]↗2019-07-03
Bugzilla
▶
Bugzilla▶
CVE-2016-8637 dracut: Local information disclosure of initramfs when early cpio is used [fedora-all]↗2016-11-07
Bugzilla
▶