CVE-2013-4577

GNU GRUB - Unprotected Password Hash Exposure via World-Readable grub.cfg

Title source: llm

Description

A certain Debian patch for GNU GRUB uses world-readable permissions for grub.cfg, which allows local users to obtain password hashes, as demonstrated by reading the password_pbkdf2 directive in the file.

References (4)

Core 4

Core References

Issue Tracking x_refsource_confirm

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=632598

Mailing List

http://www.openwall.com/lists/oss-security/2024/01/15/3

Patch mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q4/291

Patch mailing-list x_refsource_mlist

http://seclists.org/oss-sec/2013/q4/292

Scores

EPSS 0.0016

EPSS Percentile 35.8%

Details

CWE

CWE-264

Status published

Products (1)

gnu/grub

Published May 12, 2014

Tracked Since Feb 18, 2026