{"api_version":"1","generated_at":"2026-04-23T00:59:39+00:00","cve":"CVE-2021-3981","urls":{"html":"https://cve.report/CVE-2021-3981","api":"https://cve.report/api/cve/CVE-2021-3981.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-3981","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-3981"},"summary":{"title":"CVE-2021-3981","description":"A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2022-03-10 17:43:00","updated_at":"2024-01-16 01:15:00"},"problem_types":["CWE-276"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AI776L35DDYPCSAAJPJM3ZEQYSFZHBJX/","name":"FEDORA-2021-73d63662b0","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 34 Update: grub2-2.06-9.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AI776L35DDYPCSAAJPJM3ZEQYSFZHBJX/","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AI776L35DDYPCSAAJPJM3ZEQYSFZHBJX/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 34 Update: grub2-2.06-9.fc34 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2024170","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2024170","refsource":"MISC","tags":[],"title":"2024170 – (CVE-2021-3981) CVE-2021-3981 grub2: Incorrect permission in grub.cfg allow unprivileged user to read the file content","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202209-12","name":"GLSA-202209-12","refsource":"GENTOO","tags":[],"title":"GRUB: Multiple Vulnerabilities (GLSA 202209-12) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/security/cve/CVE-2021-3981","name":"https://access.redhat.com/security/cve/CVE-2021-3981","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"http://www.openwall.com/lists/oss-security/2024/01/15/3","name":"http://www.openwall.com/lists/oss-security/2024/01/15/3","refsource":"","tags":[],"title":"oss-security - CVE-2023-4001: a password bypass vulnerability in the downstream GRUB\n boot manager","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://access.redhat.com/errata/RHSA-2022:2110","name":"https://access.redhat.com/errata/RHSA-2022:2110","refsource":"MISC","tags":[],"title":"Red Hat Customer Portal - Access to 24x7 support and knowledge","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-3981","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-3981","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"3981","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"34","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"3981","vulnerable":"1","versionEndIncluding":"2.06","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"gnu","cpe5":"grub2","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-3981","qid":"159801","title":"Oracle Enterprise Linux Security Update for grub2 (ELSA-2022-2110)"},{"cve":"CVE-2021-3981","qid":"184114","title":"Debian Security Update for grub2 (CVE-2021-3981)"},{"cve":"CVE-2021-3981","qid":"240320","title":"Red Hat Update for grub2 security (RHSA-2022:2110)"},{"cve":"CVE-2021-3981","qid":"282111","title":"Fedora Security Update for grub2 (FEDORA-2021-8dbf0a81c0)"},{"cve":"CVE-2021-3981","qid":"282196","title":"Fedora Security Update for grub2 (FEDORA-2021-73d63662b0)"},{"cve":"CVE-2021-3981","qid":"353265","title":"Amazon Linux Security Advisory for grub2 : ALAS2-2022-1787"},{"cve":"CVE-2021-3981","qid":"354332","title":"Amazon Linux Security Advisory for grub2 : ALAS2022-2022-109"},{"cve":"CVE-2021-3981","qid":"354408","title":"Amazon Linux Security Advisory for grub2 : ALAS2022-2022-043"},{"cve":"CVE-2021-3981","qid":"354535","title":"Amazon Linux Security Advisory for grub2 : ALAS-2022-109"},{"cve":"CVE-2021-3981","qid":"355137","title":"Amazon Linux Security Advisory for grub2 : ALAS2023-2023-020"},{"cve":"CVE-2021-3981","qid":"671769","title":"EulerOS Security Update for grub2 (EulerOS-SA-2022-1819)"},{"cve":"CVE-2021-3981","qid":"671775","title":"EulerOS Security Update for grub2 (EulerOS-SA-2022-1828)"},{"cve":"CVE-2021-3981","qid":"671912","title":"EulerOS Security Update for grub2 (EulerOS-SA-2022-1967)"},{"cve":"CVE-2021-3981","qid":"671939","title":"EulerOS Security Update for grub2 (EulerOS-SA-2022-1997)"},{"cve":"CVE-2021-3981","qid":"672032","title":"EulerOS Security Update for grub2 (EulerOS-SA-2022-2268)"},{"cve":"CVE-2021-3981","qid":"672481","title":"EulerOS Security Update for grub2 (EulerOS-SA-2023-1011)"},{"cve":"CVE-2021-3981","qid":"672521","title":"EulerOS Security Update for grub2 (EulerOS-SA-2023-1036)"},{"cve":"CVE-2021-3981","qid":"710619","title":"Gentoo Linux GRUB Multiple Vulnerabilities (GLSA 202209-12)"},{"cve":"CVE-2021-3981","qid":"900742","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for grub2 (8934)"},{"cve":"CVE-2021-3981","qid":"901235","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for grub2 (8937)"},{"cve":"CVE-2021-3981","qid":"901359","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for grub2 (8934-1)"},{"cve":"CVE-2021-3981","qid":"902625","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for grub2 (8937-1)"},{"cve":"CVE-2021-3981","qid":"940519","title":"AlmaLinux Security Update for grub2 (ALSA-2022:2110)"},{"cve":"CVE-2021-3981","qid":"960128","title":"Rocky Linux Security Update for grub2 (RLSA-2022:2110)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2021-3981","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing non privileged users to read its content. This represents a low severity confidentiality issue, as those users can eventually read any encrypted passwords present in grub.cfg. This flaw affects grub2 2.06 and previous versions. This issue has been fixed in grub upstream but no version with the fix is currently released."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-276","cweId":"CWE-276"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"grub2","version":{"version_data":[{"version_affected":"=","version_value":"grub2 2.06 and previous versions"}]}}]}}]}},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2024170","refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=2024170"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AI776L35DDYPCSAAJPJM3ZEQYSFZHBJX/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AI776L35DDYPCSAAJPJM3ZEQYSFZHBJX/"},{"url":"https://security.gentoo.org/glsa/202209-12","refsource":"MISC","name":"https://security.gentoo.org/glsa/202209-12"}]}},"nvd":{"publishedDate":"2022-03-10 17:43:00","lastModifiedDate":"2024-01-16 01:15:00","problem_types":["CWE-276"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":3.3,"baseSeverity":"LOW"},"exploitabilityScore":1.8,"impactScore":1.4},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:L/AC:L/Au:N/C:P/I:N/A:N","accessVector":"LOCAL","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":2.1},"severity":"LOW","exploitabilityScore":3.9,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*","versionEndIncluding":"2.06","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"3981","Ordinal":"221673","Title":"CVE-2021-3981","CVE":"CVE-2021-3981","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"3981","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}