CVE-2016-8637
https://notcve.org/view.php?id=CVE-2016-8637
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials. Se ha encontrado un problema de divulgación de información local en dracut en versiones anteriores a la 045 al generar imágenes initramfs con permisos de lectura globales al emplear "early cpio", como al incluir actualizaciones de microcódigo. Un atacante local puede emplear esto para obtener información sensible de estos archivos, como las claves de cifrado o las credenciales. • http://seclists.org/oss-sec/2016/q4/352 http://www.securityfocus.com/bid/94128 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8637 https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc764a4 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2015-0794
https://notcve.org/view.php?id=CVE-2015-0794
modules.d/90crypt/module-setup.sh in the dracut package before 037-17.30.1 in openSUSE 13.2 allows local users to have unspecified impact via a symlink attack on /tmp/dracut_block_uuid.map. modules.d/90crypt/module-setup.sh en el paquete dracut en versiones anteriores a 037-17.30.1 en openSUSE 13.2 permite a usuarios locales tener un impacto no especificado a través de un ataque de enlace simbólico en /tmp/dracut_block_uuid.map. • http://lists.opensuse.org/opensuse-bugs/2015-06/msg02580.html http://lists.opensuse.org/opensuse-bugs/2015-06/msg02585.html http://lists.opensuse.org/opensuse-updates/2015-11/msg00098.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2012-4453 – dracut: Creates initramfs images with world-readable permissions (information disclosure)
https://notcve.org/view.php?id=CVE-2012-4453
dracut.sh in dracut, as used in Red Hat Enterprise Linux 6, Fedora 16 and 17, and possibly other products, creates initramfs images with world-readable permissions, which might allow local users to obtain sensitive information. dracut.sh en dracut, como se usa en Red Hat Enterprise Linux 6, Fedora 16 y 17 y posiblemente otros productos, crea imágenes initramfs con permisos de lectura en todo el mundo, lo que podría permitir a usuarios locales obtener información sensible. It was discovered that dracut created initramfs images as world readable. A local user could possibly use this flaw to obtain sensitive information from these files, such as iSCSI authentication passwords, encrypted root file system crypttab passwords, or other information. • http://git.kernel.org/?p=boot/dracut/dracut.git%3Ba=commit%3Bh=e1b48995c26c4f06d1a71 http://rhn.redhat.com/errata/RHSA-2013-1674.html http://www.openwall.com/lists/oss-security/2012/09/27/3 http://www.openwall.com/lists/oss-security/2012/09/27/4 http://www.openwall.com/lists/oss-security/2012/09/27/6 http://www.securityfocus.com/bid/55713 https://bugzilla.redhat.com/show_bug.cgi?id=859448 https://exchange.xforce.ibmcloud.com/vulnerabilities/79258 https://access& • CWE-276: Incorrect Default Permissions •