Access Restriction Bypass Affecting grub2 package, versions <2.02~beta2-33


Severity

Recommended
0.0
high
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.11% (45th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN13-GRUB2-5681566
  • published16 Dec 2015
  • disclosed16 Dec 2015

Introduced: 16 Dec 2015

CVE-2015-8370  (opens in a new tab)
CWE-264  (opens in a new tab)

How to fix?

Upgrade Debian:13 grub2 to version 2.02~beta2-33 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream grub2 package and not the grub2 package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.

References

CVSS Scores

version 3.1