CVE-2009-4128

GNU GRUB 2 1.97 - Improper Authentication via Password Length Bypass

Title source: llm

Description

GNU GRand Unified Bootloader (GRUB) 2 1.97 only compares the submitted portion of a password with the actual password, which makes it easier for physically proximate attackers to conduct brute force attacks and bypass authentication by submitting a password whose length is 1.

References (4)

Core 4

Core References

Exploit

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555195

Patch vdb-entry

http://www.securityfocus.com/bid/36968

Third Party Advisory, VDB Entry vdb-entry

https://exchange.xforce.ibmcloud.com/vulnerabilities/54210

Mailing List mailing-list

http://www.openwall.com/lists/oss-security/2024/01/15/3

Scores

EPSS 0.0004

EPSS Percentile 12.0%

Details

CWE

CWE-287

Status published

Products (1)

gnu/grub_2 1.97

Published Dec 01, 2009

Tracked Since Feb 18, 2026