CVE-2022-3675

Name of the Vulnerable Software and Affected Versions Fedora CoreOS (affected versions not specified)

Description The issue is related to a misconfiguration in recent Fedora CoreOS releases that allows booting non-default OSTree deployments without entering a password, even when a GRUB bootloader password is set using a Butane config. This enables someone with access to the GRUB menu to boot into an older version of Fedora CoreOS, effectively reverting any recently applied security fixes. However, a password is still required to modify kernel command-line arguments and to access the GRUB command line.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.