Lucene search
RedhatCVE-2021-3697HistoryJul 06, 2022 - 4:15 p.m.
CVE-2021-3697
2022-07-0616:15:08
CWE-787
redhat
web.nvd.nist.gov
142
9
cve-2021-3697
jpeg reader
data underflow
heap
data corruption
code execution
secure boot
vulnerability
nvd
grub2
CVSS2
4.4
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
7
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
7.6
Confidence
High
EPSS
0
Percentile
15.7%
A crafted JPEG image may lead the JPEG reader to underflow its data pointer, allowing user-controlled data to be written in heap. To a successful to be performed the attacker needs to perform some triage over the heap layout and craft an image with a malicious format and payload. This vulnerability can lead to data corruption and eventual code execution or secure boot circumvention. This flaw affects grub2 versions prior grub-2.12.
Affected configurations
Node
gnugrub2Range2.00–2.12
Node
redhatdeveloper_toolsMatch1.0
ORredhatopenshiftMatch3.0
ORredhatenterprise_linuxMatch8.0
ORredhatenterprise_linuxMatch8.1
ORredhatenterprise_linuxMatch8.4
ORredhatenterprise_linuxMatch9.0
ORredhatenterprise_linux_eusMatch8.2
ORredhatenterprise_linux_eusMatch8.4
ORredhatenterprise_linux_eusMatch8.6
ORredhatenterprise_linux_eusMatch9.0
ORredhatenterprise_linux_for_power_little_endianMatch8.0
ORredhatenterprise_linux_for_power_little_endianMatch9.0
ORredhatenterprise_linux_for_power_little_endian_eusMatch8.2
ORredhatenterprise_linux_for_power_little_endian_eusMatch8.4
ORredhatenterprise_linux_for_power_little_endian_eusMatch8.6
ORredhatenterprise_linux_for_power_little_endian_eusMatch9.0
ORredhatenterprise_linux_server_ausMatch8.2
ORredhatenterprise_linux_server_ausMatch8.4
ORredhatenterprise_linux_server_ausMatch8.6
ORredhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsMatch8.1
ORredhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsMatch8.2
ORredhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsMatch8.4
ORredhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsMatch8.6
ORredhatenterprise_linux_server_for_power_little_endian_update_services_for_sap_solutionsMatch9.0
ORredhatenterprise_linux_server_tusMatch8.2
ORredhatenterprise_linux_server_tusMatch8.4
ORredhatenterprise_linux_server_tusMatch8.6
Node
redhatopenshift_container_platformMatch4.6
ORredhatopenshift_container_platformMatch4.9
ORredhatopenshift_container_platformMatch4.10
redhatenterprise_linuxMatch8.0
Node
redhatcodeready_linux_builderMatch-
redhatenterprise_linuxMatch8.0
ORredhatenterprise_linuxMatch9.0
ORredhatenterprise_linux_eusMatch8.2
ORredhatenterprise_linux_eusMatch8.4
ORredhatenterprise_linux_eusMatch8.6
ORredhatenterprise_linux_eusMatch9.0
| Vendor | Product | Version | CPE |
|---|---|---|---|
| gnu | grub2 | * | cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:* |
| redhat | developer_tools | 1.0 | cpe:2.3:a:redhat:developer_tools:1.0:*:*:*:*:*:*:* |
| redhat | openshift | 3.0 | cpe:2.3:a:redhat:openshift:3.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.0 | cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.1 | cpe:2.3:o:redhat:enterprise_linux:8.1:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 8.4 | cpe:2.3:o:redhat:enterprise_linux:8.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux | 9.0 | cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.2 | cpe:2.3:o:redhat:enterprise_linux_eus:8.2:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.4 | cpe:2.3:o:redhat:enterprise_linux_eus:8.4:*:*:*:*:*:*:* |
| redhat | enterprise_linux_eus | 8.6 | cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:* |
CNA Affected
[
{
"product": "grub2",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "grub-2.06"
}
]
}
]References
Social References
More
Related
debiancve
debiancve
CVE-2021-3697
2022-07-06 16:15:08
veracode
veracode
Remote Code Execution (RCE)
2022-06-15 16:10:50
cbl_mariner
cbl_mariner
CVE-2021-3697 affecting package grub2 for versions less than 2.06-14
2024-03-19 17:21:46
CVE-2021-3697 affecting package grub2 for versions less than 2.06-12
2023-11-08 02:07:28
osv
osv
CVE-2021-3697
2022-07-06 16:15:08
grub2-2.06-25.1 on GA media
2024-06-15 00:00:00
Important: grub2, mokutil, shim, and shim-unsigned-x64 security update
2022-06-16 00:00:00
nessus
nessus
Photon OS 3.0: Grub2 PHSA-2023-3.0-0620
2024-07-24 00:00:00
CBL Mariner 2.0 Security Update: grub2 (CVE-2021-3697)
2024-07-03 00:00:00
Photon OS 4.0: Grub2 PHSA-2023-4.0-0439
2024-07-24 00:00:00
alpinelinux
alpinelinux
CVE-2021-3697
2022-07-06 16:15:08
prion
prion
Design/Logic Flaw
2022-07-06 16:15:00
redhatcve
redhatcve
CVE-2021-3697
2022-06-07 17:19:47
cvelist
cvelist
CVE-2021-3697
2022-07-06 15:06:47
ubuntucve
ubuntucve
CVE-2021-3697
2022-07-06 00:00:00
nvd
nvd
CVE-2021-3697
2022-07-06 16:15:08
photon
photon
Important Photon OS Security Update - PHSA-2023-4.0-0439
2023-07-28 00:00:00
Important Photon OS Security Update - PHSA-2023-3.0-0620
2023-07-28 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2024-2341
2024-02-14 10:25:29
openvas
openvas
Huawei EulerOS: Security Advisory for grub2 (EulerOS-SA-2022-2289)
2022-09-14 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:2036-1)
2022-06-13 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:2041-1)
2022-06-13 00:00:00
oraclelinux
oraclelinux
grub2 security update
2022-06-07 00:00:00
grub2 security update
2022-06-07 00:00:00
grub2 security update
2023-10-27 00:00:00
suse
suse
Security update for grub2 (important)
2022-06-13 00:00:00
Security update for grub2 (important)
2022-06-10 00:00:00
redos
redos
ROS-20240208-03
2024-02-08 00:00:00
fedora
fedora
[SECURITY] Fedora 36 Update: grub2-2.06-42.fc36
2022-06-10 01:15:49
[SECURITY] Fedora 35 Update: grub2-2.06-11.fc35
2022-06-22 01:25:16
almalinux
almalinux
Important: grub2, mokutil, shim, and shim-unsigned-x64 security update
2022-06-16 00:00:00
Important: grub2, mokutil, shim, and shim-unsigned-x64 security update
2022-06-16 00:00:00
rocky
rocky
grub2, mokutil, shim, and shim-unsigned-x64 security update
2022-06-16 13:10:10
grub2, mokutil, shim, and shim-unsigned-x64 security update
2022-06-16 13:17:13
redhat
redhat
gentoo
gentoo
GRUB: Multiple Vulnerabilities
2022-09-25 00:00:00
amazon
amazon
Important: grub2
2023-07-17 17:40:00
ubuntu
ubuntu
GRUB2 vulnerabilities
2023-09-08 00:00:00
hp
hp
HP ThinPro 8.0 SP 7 Security Updates
2024-01-26 00:00:00
HP ThinPro 8.0 SP 8 Security Updates
2024-03-01 00:00:00
avleonov
avleonov
CVSS2
4.4
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
7
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
7.6
Confidence
High
EPSS
0
Percentile
15.7%
Related for CVE-2021-3697