CVE-2022-3675: Input Validation
First published: Thu Nov 03 2022(Updated: )
Fedora CoreOS supports setting a GRUB bootloader password using a Butane config. When this feature is enabled, GRUB requires a password to access the GRUB command-line, modify kernel command-line arguments, or boot non-default OSTree deployments. Recent Fedora CoreOS releases have a misconfiguration which allows booting non-default OSTree deployments without entering a password. This allows someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, reverting any security fixes that have recently been applied to the machine. A password is still required to modify kernel command-line arguments and to access the GRUB command line.
Credit: patrick@puiterwijk.org patrick@puiterwijk.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Fedora Coreos | >=36.20220820.3.0<37.20221031.1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/nvd-index
- agent/author
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/tags
- agent/description
- agent/event
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- vendor/redhat
- canonical/redhat fedora coreos
- version/redhat fedora coreos/36.20220820.3.0