Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-3981

Published: 10 March 2022

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.

Notes

AuthorNote
mdeslaur 
Introduced by:
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d
eslerm 
patch applied in grub-2.12-rc1

Priority

Low

Cvss 3 Severity Score

3.3

Score breakdown

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian 		bionic Not vulnerable
(does not affect Secure Boot)
focal Not vulnerable
(does not affect Secure Boot)
hirsute Ignored
(end of life)
impish Ignored
(end of life)
jammy Not vulnerable
(does not affect Secure Boot)
kinetic Ignored
(end of life, was needed)
lunar Ignored
(end of life, was needed)
mantic Not vulnerable
(does not affect Secure Boot)
noble Not vulnerable
(does not affect Secure Boot)
trusty Not vulnerable
(does not affect Secure Boot)
upstream Needs triage

xenial Not vulnerable
(does not affect Secure Boot)
Patches:
upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4
grub2-signed
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal
Released (1.187.3~20.04.1)
jammy
Released (1.187.3~22.04.1)
kinetic Ignored
(end of life, was needed)
lunar Not vulnerable
(1.192)
mantic Not vulnerable
(1.194)
noble Not vulnerable
(1.194)
trusty Needs triage

upstream Needs triage

xenial Needs triage

grub2-unsigned
Launchpad, Ubuntu, Debian 		bionic Needs triage

focal
Released (2.06-2ubuntu14.1)
jammy
Released (2.06-2ubuntu14.1)
kinetic Ignored
(end of life, was needed)
lunar Not vulnerable
(2.06-2ubuntu16)
mantic Not vulnerable
(2.12~rc1-4ubuntu1)
noble Not vulnerable
(2.12~rc1-4ubuntu1)
trusty Does not exist

upstream Needs triage

xenial Needs triage

Severity score breakdown

Parameter Value
Base score 3.3
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›

Further reading