CVE-2024-23301 – rear: creates a world-readable initrd

https://notcve.org/view.php?id=CVE-2024-23301

Relax-and-Recover (aka ReaR) through 2.7 creates a world-readable initrd when using GRUB_RESCUE=y. This allows local attackers to gain access to system secrets otherwise only readable by root. Relax-and-Recover (a.k.a ReaR) hasta 2.7 crea un initrd world-readable cuando se usa GRUB_RESCUE=y. Esto permite a los atacantes locales obtener acceso a secretos del sistema que de otro modo sólo serían legibles por root. A vulnerability has been identified in Relax-and-Recover (ReaR), where the use of GRUB_RESCUE=y results in the creation of an initrd that is readable by anyone. • https://github.com/rear/rear/issues/3122 https://github.com/rear/rear/pull/3123 https://lists.debian.org/debian-lts-announce/2024/02/msg00003.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JIN57LUPBI2GDJOK3PYXNHJTZT3AQTZ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UHKMPXJNXEJJE6EVYE5HM7EKEJFQMBN7 https://access.redhat.com/security/cve/CVE-2024-23301 https://bugzilla.redhat.com/show_bug.cgi?id=2258396 • CWE-359: Exposure of Private Personal Information to an Unauthorized Actor •