4.3
CVE-2021-4122
- EPSS 0.28%
- Veröffentlicht 24.08.2022 16:15:09
- Zuletzt bearbeitet 21.11.2024 06:36:56
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
It was found that a specially crafted LUKS header could trick cryptsetup into disabling encryption during the recovery of the device. An attacker with physical access to the medium, such as a flash disk, could use this flaw to force a user into permanently disabling the encryption layer of that medium.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Cryptsetup Project ≫ Cryptsetup Version < 2.3.7
Cryptsetup Project ≫ Cryptsetup Version >= 2.4.0 < 2.4.3
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.28% | 0.195 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 4.3 | 0.7 | 3.6 |
CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-345 Insufficient Verification of Data Authenticity
The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
https://access.redhat.com/security/cve/CVE-2021-4122
https://bugzilla.redhat.com/show_bug.cgi?id=2031859
https://bugzilla.redhat.com/show_bug.cgi?id=2032401
https://gitlab.com/cryptsetup/cryptsetup/-/commit/0113ac2d889c5322659ad0596d4cfc6da53e356c
https://mirrors.edge.kernel.org/pub/linux/utils/cryptsetup/v2.4/v2.4.3-ReleaseNotes