Bugzilla – Bug 1201962
Bootloader password leaked into_YaST logs
Last modified: 2022-10-14 13:59:42 UTC
In yast2-bootloader (even during system installation) if the option "Protect Boot Loader with Password" is used, YaST executes the command grub2-mkpasswd-pbkdf2 to generate the hashed password. Doing so, it leaks the typed password to the YaST logs.
Looks like CWE-532 (Information Exposure Through Log Files). Similar to CVE-2012-0425 but less severe.