Vulnerability Details CVE-2024-23301
Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 30.8%
CVSS Severity
CVSS v3 Score 5.5
References
- https://github.com/rear/rear/issues/3122
- https://github.com/rear/rear/pull/3123
- https://lists.debian.org/debian-lts-announce/2024/02/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JIN57LUPBI2GDJOK3PYXNHJTZT3AQTZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHKMPXJNXEJJE6EVYE5HM7EKEJFQMBN7/
- https://github.com/rear/rear/issues/3122
- https://github.com/rear/rear/pull/3123
- https://lists.debian.org/debian-lts-announce/2024/02/msg00003.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JIN57LUPBI2GDJOK3PYXNHJTZT3AQTZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHKMPXJNXEJJE6EVYE5HM7EKEJFQMBN7/
Products affected by CVE-2024-23301
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.10.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.11.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.12.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.13.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.14
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.15
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.16
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.16.1
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.17.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.17.1
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.17.2
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.18
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.19
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.18
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.19
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.20
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.21
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.22
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.23
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.24
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.25
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.7.26
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.9
-
cpe:2.3:a:relax-and-recover:relax-and-recover:1.9.0
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.00
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.1
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.2
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.3
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.5
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.6
-
cpe:2.3:a:relax-and-recover:relax-and-recover:2.7
-
cpe:2.3:o:fedoraproject:fedora:39
-
cpe:2.3:o:redhat:enterprise_linux:8.0
-
cpe:2.3:o:redhat:enterprise_linux:9.0
-
cpe:2.3:o:suse:linux_enterprise:15.0