Vulnerability Description
A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates. Local attacker can use this to obtain sensitive information from these files, such as encryption keys or credentials.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dracut Project | Dracut | < 045 |
Related Weaknesses (CWE)
References
- http://seclists.org/oss-sec/2016/q4/352ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/94128Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8637ExploitIssue TrackingThird Party Advisory
- https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc7PatchThird Party Advisory
- http://seclists.org/oss-sec/2016/q4/352ExploitMailing ListThird Party Advisory
- http://www.securityfocus.com/bid/94128Third Party AdvisoryVDB Entry
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8637ExploitIssue TrackingThird Party Advisory
- https://github.com/dracutdevs/dracut/commit/0db98910a11c12a454eac4c8e86dc7a7bbc7PatchThird Party Advisory
FAQ
What is CVE-2016-8637?
CVE-2016-8637 is a vulnerability with a CVSS score of 5.0 (MEDIUM). A local information disclosure issue was found in dracut before 045 when generating initramfs images with world-readable permissions when 'early cpio' is used, such as when including microcode updates...
How severe is CVE-2016-8637?
CVE-2016-8637 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8637?
Check the references section above for vendor advisories and patch information. Affected products include: Dracut Project Dracut.