Show plain JSON{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-3675", "assignerOrgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "state": "PUBLISHED", "assignerShortName": "fedora", "requesterUserId": "f3a2da25-33ae-4444-b293-a5bd0f5d6b21", "dateReserved": "2022-10-24T06:40:10.332Z", "datePublished": "2022-11-03T17:25:02.823Z", "dateUpdated": "2025-05-02T18:53:10.153Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "coreos-assembler", "product": "CoreOS", "vendor": "Fedora Project", "versions": [{"lessThan": "testing 36.20221030.2.0 ", "status": "affected", "version": "testing 36.20220906.2.0 and later", "versionType": "fix"}, {"lessThan": "next 37.20221031.1.0", "status": "affected", "version": "next 36.20220906.1.0 and later", "versionType": "fix"}, {"lessThan": "stable 36.20221014.3.0", "status": "affected", "version": "stable 36.20220820.3.0 and later", "versionType": "fix"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>Fedora CoreOS supports setting a GRUB bootloader password\nusing a Butane config. When this feature is enabled, GRUB requires a password to access the\nGRUB command-line, modify kernel command-line arguments, or boot\nnon-default OSTree deployments. Recent Fedora CoreOS releases have a\nmisconfiguration which allows booting non-default OSTree deployments\nwithout entering a password. This allows someone with access to the\nGRUB menu to boot into an older version of Fedora CoreOS, reverting\nany security fixes that have recently been applied to the machine. A\npassword is still required to modify kernel command-line arguments and\nto access the GRUB command line.\n<br></div>"}], "value": "Fedora CoreOS supports setting a GRUB bootloader password\nusing a Butane config. When this feature is enabled, GRUB requires a password to access the\nGRUB command-line, modify kernel command-line arguments, or boot\nnon-default OSTree deployments. Recent Fedora CoreOS releases have a\nmisconfiguration which allows booting non-default OSTree deployments\nwithout entering a password. This allows someone with access to the\nGRUB menu to boot into an older version of Fedora CoreOS, reverting\nany security fixes that have recently been applied to the machine. A\npassword is still required to modify kernel command-line arguments and\nto access the GRUB command line.\n\n\n\n"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "NONE", "baseScore": 2.6, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "description": "CWE-20 Improper Input Validation", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "92fb86c3-55a5-4fb5-9c3f-4757b9e96dc5", "shortName": "fedora", "dateUpdated": "2022-11-03T17:49:43.071Z"}, "references": [{"tags": ["issue-tracking"], "url": "https://github.com/coreos/fedora-coreos-tracker/issues/1333"}, {"tags": ["release-notes"], "url": "https://lists.fedoraproject.org/archives/list/coreos-status@lists.fedoraproject.org/thread/NHUCNH5Y4UH5DPUCXISYXXVA563TLFEJ/"}, {"tags": ["related"], "url": "https://docs.fedoraproject.org/en-US/fedora-coreos/grub-password/"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T01:14:03.251Z"}, "title": "CVE Program Container", "references": [{"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/coreos/fedora-coreos-tracker/issues/1333"}, {"tags": ["release-notes", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/coreos-status@lists.fedoraproject.org/thread/NHUCNH5Y4UH5DPUCXISYXXVA563TLFEJ/"}, {"tags": ["related", "x_transferred"], "url": "https://docs.fedoraproject.org/en-US/fedora-coreos/grub-password/"}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-02T18:53:02.484531Z", "id": "CVE-2022-3675", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-02T18:53:10.153Z"}}]}}