Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-20269

Published: 10 March 2022

A flaw was found in the permissions of a log file created by kexec-tools. This flaw allows a local unprivileged user to read this file and leak kernel internal information from a previous panic. The highest threat from this vulnerability is to confidentiality. This flaw affects kexec-tools shipped by Fedora versions prior to 2.0.21-8 and RHEL versions prior to 2.0.20-47.

Notes

AuthorNote
sbeattie
on ubuntu/debian, makedumpfile from src:makedumpfile is used
to create the dmesg file, and correctly limits the permissions on it.
On Fedora/RedHat, the kdump-lib-initramfs.sh is used and is where
the vulnerability lies. This script is not included in ubuntu/debian
packaging.

Priority

Low

Cvss 3 Severity Score

5.5

Score breakdown

Status

Package Release Status
kexec-tools
Launchpad, Ubuntu, Debian
impish Not vulnerable
(code not present)
bionic Not vulnerable
(code not present)
focal Not vulnerable
(code not present)
groovy Not vulnerable
(code not present)
hirsute Not vulnerable
(code not present)
xenial Not vulnerable
(code not present)
upstream Needs triage

trusty Does not exist

jammy Not vulnerable
(code not present)

Severity score breakdown

Parameter Value
Base score 5.5
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N