Search for vulnerabilities
Vulnerability details: VCID-p6g6-runx-aaam
Vulnerability ID VCID-p6g6-runx-aaam
Aliases CVE-2015-8370
Summary Multiple integer underflows in Grub2 1.98 through 2.02 allow physically proximate attackers to bypass authentication, obtain sensitive information, or cause a denial of service (disk corruption) via backspace characters in the (1) grub_username_get function in grub-core/normal/auth.c or the (2) grub_password_get function in lib/crypto.c, which trigger an "Off-by-two" or "Out of bounds overwrite" memory error.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-264 Permissions, Privileges, and Access Controls
CWE-787 Out-of-bounds Write
System Score Found at
generic_textual Medium http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8370.html
rhas Moderate https://access.redhat.com/errata/RHSA-2015:2623
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.00108 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02766 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02876 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02876 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.02919 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
epss 0.12683 https://api.first.org/data/v1/epss?cve=CVE-2015-8370
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1286966
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370
cvssv2 6.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv2 6.9 https://nvd.nist.gov/vuln/detail/CVE-2015-8370
generic_textual Medium https://twitter.com/lostinsecurity/status/674925944524640257
generic_textual Medium https://ubuntu.com/security/notices/USN-2836-1
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
generic_textual HIGH http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Reference id Reference type URL
http://hmarco.org/bugs/CVE-2015-8370-Grub2-authentication-bypass.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/173703.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174049.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00039.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00040.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00041.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00043.html
http://lists.opensuse.org/opensuse-security-announce/2015-12/msg00044.html
http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00003.html
http://packetstormsecurity.com/files/134831/Grub2-Authentication-Bypass.html
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-8370.html
http://rhn.redhat.com/errata/RHSA-2015-2623.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-8370.json
https://api.first.org/data/v1/epss?cve=CVE-2015-8370
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8370
http://seclists.org/fulldisclosure/2015/Dec/69
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://security.gentoo.org/glsa/201512-03
https://twitter.com/lostinsecurity/status/674925944524640257
https://ubuntu.com/security/notices/USN-2836-1
http://www.debian.org/security/2015/dsa-3421
http://www.openwall.com/lists/oss-security/2015/12/15/6
http://www.openwall.com/lists/oss-security/2024/01/15/3
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
http://www.securityfocus.com/archive/1/537115/100/0/threaded
http://www.securityfocus.com/bid/79358
http://www.securitytracker.com/id/1034422
http://www.ubuntu.com/usn/USN-2836-1
1286966 https://bugzilla.redhat.com/show_bug.cgi?id=1286966
807614 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=807614
cpe:2.3:a:gnu:grub2:1.98:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:grub2:1.98:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:1.99:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:grub2:1.99:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.00:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:grub2:2.00:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.01:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:grub2:2.01:*:*:*:*:*:*:*
cpe:2.3:a:gnu:grub2:2.02:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:gnu:grub2:2.02:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
CVE-2015-8370 https://nvd.nist.gov/vuln/detail/CVE-2015-8370
RHSA-2015:2623 https://access.redhat.com/errata/RHSA-2015:2623
USN-2836-1 https://usn.ubuntu.com/2836-1/
No exploits are available.
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: AV:L/AC:M/Au:N/C:C/I:C/A:C Found at https://nvd.nist.gov/vuln/detail/CVE-2015-8370
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.44683
EPSS Score 0.00108
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.