{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-0624: net: Out-of-bounds write in grub_net_search_configfile()\n- CVE-2025-0690: read: Integer overflow may lead to out-of-bounds write\n- CVE-2025-1118: commands/dump: The dump command is not in lockdown when\n secure boot is enabled\n- CVE-2025-0678: squash4: Integer overflow may lead to heap based\n out-of-bounds write when reading data\n- CVE-2025-1125: fs/hfs: Integer overflow may lead to heap based\n out-of-bounds write", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/cloudlinux7els/advisories/2025/clsa-2025_1744219840.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1744219840", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1744219840" } ], "tracking": { "current_release_date": "2025-05-19T15:28:40Z", "generator": { "date": "2025-05-19T15:28:40Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1744219840", "initial_release_date": "2025-04-09T17:30:42Z", "revision_history": [ { "date": "2025-04-09T17:30:42Z", "number": "1", "summary": "Initial version" }, { "date": "2025-05-19T15:28:40Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "grub2: Fix of 5 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "CloudLinux 7", "product": { "name": "CloudLinux 7", "product_id": "CloudLinux-7", "product_identification_helper": { "cpe": "cpe:2.3:o:cloudlinux:cloudlinux:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "CloudLinux" } ], "category": "vendor", "name": "Cloud Linux Software, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product": { "name": "grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_id": "grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-pc-modules@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product": { "name": "grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_id": "grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-common@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product": { "name": "grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_id": "grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-efi-x64-modules@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=noarch&epoch=1" } } }, { "category": "product_version", "name": "grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product": { "name": "grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_id": "grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-efi-ia32-modules@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=noarch&epoch=1" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-efi-x64@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-tools@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-efi-ia32-cdboot@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-pc@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } }, { "category": "product_version", "name": "grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product": { "name": "grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_id": "grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/cloudlinux/grub2-efi-x64-cdboot@2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4?arch=x86_64&epoch=1" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" }, "product_reference": "grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" }, "product_reference": "grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" }, "product_reference": "grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64 as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64" }, "product_reference": "grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "relates_to_product_reference": "CloudLinux-7" }, { "category": "default_component_of", "full_product_name": { "name": "grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch as a component of CloudLinux 7", "product_id": "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" }, "product_reference": "grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "relates_to_product_reference": "CloudLinux-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-0678", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. When reading data from a squash4 filesystem, grub's squash4 fs module uses user-controlled parameters from the filesystem geometry to determine the internal buffer size, however, it improperly checks for integer overflows. A maliciously crafted filesystem may lead some of those buffer size calculations to overflow, causing it to perform a grub_malloc() operation with a smaller size than expected. As a result, the direct_read() will perform a heap based out-of-bounds write during data reading. This flaw may be leveraged to corrupt grub's internal critical data and may result in arbitrary code execution, by-passing secure boot protections.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-0678" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2025-0678", "url": "https://access.redhat.com/security/cve/CVE-2025-0678" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2346118", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2346118" } ], "release_date": "2025-03-03T17:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2024-45782", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in the HFS filesystem. When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() using the user-provided volume name as input without properly validating the volume name's length. This issue may read to a heap-based out-of-bounds writer, impacting grub's sensitive data integrity and eventually leading to a secure boot protection bypass.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45782" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2024-45782", "url": "https://access.redhat.com/security/cve/CVE-2024-45782" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2345858", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345858" } ], "release_date": "2025-03-03T17:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2024-45777", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. The calculation of the translation buffer when reading a language .mo file in grub_gettext_getstr_from_position() may overflow, leading to a Out-of-bound write. This issue can be leveraged by an attacker to overwrite grub2's sensitive heap data, eventually leading to the circumvention of secure boot protections.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45777" } ], "release_date": "2025-02-18T18:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2025-0624", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grub_strcpy() function. During this step, it fails to consider the environment variable length when allocating the internal buffer, resulting in an out-of-bounds write. If correctly exploited, this issue may result in remote code execution through the same network segment grub is searching for the boot information, which can be used to by-pass secure boot protections.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-0624" } ], "release_date": "2025-02-18T18:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2023-4692", "cwe": { "id": "CWE-122", "name": "Heap-based Buffer Overflow" }, "notes": [ { "category": "description", "text": "An out-of-bounds write flaw was found in grub2's NTFS filesystem driver. This issue may allow an attacker to present a specially crafted NTFS filesystem image, leading to grub's heap metadata corruption. In some circumstances, the attack may also corrupt the UEFI firmware heap metadata. As a result, arbitrary code execution and secure boot protection bypass may be achieved.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-4692" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:2456", "url": "https://access.redhat.com/errata/RHSA-2024:2456" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2024:3184", "url": "https://access.redhat.com/errata/RHSA-2024:3184" }, { "category": "external", "summary": "https://access.redhat.com/security/cve/CVE-2023-4692", "url": "https://access.redhat.com/security/cve/CVE-2023-4692" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=2236613", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2236613" }, { "category": "external", "summary": "https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/", "url": "https://dfir.ru/2023/10/03/cve-2023-4692-cve-2023-4693-vulnerabilities-in-the-grub-boot-manager/" }, { "category": "external", "summary": "https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html", "url": "https://lists.gnu.org/archive/html/grub-devel/2023-10/msg00028.html" }, { "category": "external", "summary": "https://seclists.org/oss-sec/2023/q4/37", "url": "https://seclists.org/oss-sec/2023/q4/37" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUU42E7CPYLATXOYVYNW6YTXXULAOV6L/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FUU42E7CPYLATXOYVYNW6YTXXULAOV6L/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRJ5UZRXX2KLR4IKBJEQUNGOCXMMDLY/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIRJ5UZRXX2KLR4IKBJEQUNGOCXMMDLY/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PERFILCHFEUGG3OAMC6W55P6DDIBZK4Q/", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PERFILCHFEUGG3OAMC6W55P6DDIBZK4Q/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202311-14", "url": "https://security.gentoo.org/glsa/202311-14" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20231208-0002/", "url": "https://security.netapp.com/advisory/ntap-20231208-0002/" } ], "release_date": "2023-10-25T18:17:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2024-45774", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. A specially crafted JPEG file can cause the JPEG parser of grub2 to incorrectly check the bounds of its internal buffers, resulting in an out-of-bounds write. The possibility of overwriting sensitive information to bypass secure boot protections is not discarded.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45774" } ], "release_date": "2025-02-18T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2024-45776", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "When reading the language .mo file in grub_mofile_open(), grub2 fails to verify an integer overflow when allocating its internal buffer. A crafted .mo file may lead the buffer size calculation to overflow, leading to out-of-bound reads and writes. This flaw allows an attacker to leak sensitive data or overwrite critical data, possibly circumventing secure boot protections.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45776" } ], "release_date": "2025-02-18T18:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2024-45781", "cwe": { "id": "CWE-787", "name": "Out-of-bounds Write" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. When reading a symbolic link's name from a UFS filesystem, grub2 fails to validate the string length taken as an input. The lack of validation may lead to a heap out-of-bounds write, causing data integrity issues and eventually allowing an attacker to circumvent secure boot protections.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45781" } ], "release_date": "2025-02-18T18:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2024-45775", "cwe": { "id": "CWE-252", "name": "Unchecked Return Value" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2 where the grub_extcmd_dispatcher() function calls grub_arg_list_alloc() to allocate memory for the grub's argument list. However, it fails to check in case the memory allocation fails. Once the allocation fails, a NULL point will be processed by the parse_option() function, leading grub to crash or, in some rare scenarios, corrupt the IVT data.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45775" } ], "release_date": "2025-01-28T00:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2024-45783", "cwe": { "id": "CWE-911", "name": "Improper Update of Reference Count" }, "notes": [ { "category": "description", "text": "A flaw was found in grub2. When failing to mount an HFS+ grub, the hfsplus filesystem driver doesn't properly set an ERRNO value. This issue may lead to a NULL pointer access.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-45783" } ], "release_date": "2025-02-18T18:00:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CloudLinux-7:grub2-pc-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-common-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-tools-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch", "CloudLinux-7:grub2-efi-ia32-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-pc-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-x64-cdboot-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.x86_64", "CloudLinux-7:grub2-efi-ia32-modules-1:2.02-0.87.el7_9.14.cloudlinux.1.tuxcare.els4.noarch" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] } ] }