Lucene search

K
nvd[email protected]NVD:CVE-2022-28734
HistoryJul 20, 2023 - 1:15 a.m.

CVE-2022-28734

2023-07-2001:15:10
CWE-787
web.nvd.nist.gov
8
grub2
http
out-of-bounds
write
vulnerability
memory corruption

CVSS3

7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

24.8%

Out-of-bounds write when handling split HTTP headers; When handling split HTTP headers, GRUB2 HTTP code accidentally moves its internal data buffer point by one position. This can lead to a out-of-bound write further when parsing the HTTP request, writing a NULL byte past the buffer. It’s conceivable that an attacker controlled set of packets can lead to corruption of the GRUB2’s internal memory metadata.

Affected configurations

Nvd
Node
gnugrub2Range2.002.06-3
Node
netappactive_iq_unified_managerMatch-vmware_vsphere
VendorProductVersionCPE
gnugrub2*cpe:2.3:a:gnu:grub2:*:*:*:*:*:*:*:*
netappactive_iq_unified_manager-cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

CVSS3

7

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

AI Score

8.3

Confidence

High

EPSS

0.001

Percentile

24.8%