CVE-2023-36476

CVSS v3.1

7.9

High

Vector

AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions calamares-nixos-extensions versions 0.3.12 and prior

Description The issue affects users of calamares-nixos-extensions who installed NixOS through the graphical calamares installer with an unencrypted /boot, on either non-UEFI systems or with a LUKS partition different from /. In these cases, the LUKS key file is stored in /boot as a plaintext CPIO archive attached to the NixOS initrd. A patch is anticipated to be part of version 0.3.13.

Recommendations For versions 0.3.12 and prior, expert users can re-encrypt the LUKS partition(s) themselves as a workaround. Update to version 0.3.13 or later when available to apply the patch.

Exploit

Fix

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-200

Related Identifiers

CVE-2023-36476

GHSA-3RVF-24Q2-24WW

Affected Products

Calamares-Nixos-Extensions

CVE-2023-36476

Weakness Enumeration

Related Identifiers

Affected Products

References · 8