Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2021-3981

Published: 10 March 2022

A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.

Notes

AuthorNote
mdeslaur
Introduced by:
https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=ab2e53c8a196a595e50f1c836bf756b9db1ae68d
eslerm
patch applied in grub-2.12-rc1

Priority

Low

Cvss 3 Severity Score

3.3

Score breakdown

Status

Package Release Status
grub2
Launchpad, Ubuntu, Debian
impish Ignored
(end of life)
trusty Not vulnerable
(does not affect Secure Boot)
upstream Needs triage

bionic Not vulnerable
(does not affect Secure Boot)
focal Not vulnerable
(does not affect Secure Boot)
hirsute Ignored
(end of life)
kinetic Ignored
(end of life, was needed)
jammy Not vulnerable
(does not affect Secure Boot)
lunar Ignored
(end of life, was needed)
mantic Not vulnerable
(does not affect Secure Boot)
xenial Not vulnerable
(does not affect Secure Boot)
Patches:
upstream: https://git.savannah.gnu.org/gitweb/?p=grub.git;a=commit;h=0adec29674561034771c13e446069b41ef41e4d4
grub2-signed
Launchpad, Ubuntu, Debian
trusty Needs triage

xenial Needs triage

bionic Needs triage

upstream Needs triage

lunar Not vulnerable
(1.192)
kinetic Ignored
(end of life, was needed)
mantic Not vulnerable
(1.194)
focal
Released (1.187.3~20.04.1)
jammy
Released (1.187.3~22.04.1)
grub2-unsigned
Launchpad, Ubuntu, Debian
xenial Needs triage

bionic Needs triage

upstream Needs triage

trusty Does not exist

kinetic Ignored
(end of life, was needed)
lunar Not vulnerable
(2.06-2ubuntu16)
mantic Not vulnerable
(2.12~rc1-4ubuntu1)
focal
Released (2.06-2ubuntu14.1)
jammy
Released (2.06-2ubuntu14.1)

Severity score breakdown

Parameter Value
Base score 3.3
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N