CVE-2024-45782: 
CBL Mariner vulnerability analysis and mitigation

A vulnerability was discovered in the HFS filesystem component of GRUB2 (CVE-2024-45782). When reading an HFS volume's name at grub_fs_mount(), the HFS filesystem driver performs a strcpy() operation using the user-provided volume name as input without properly validating the volume name's length (NVD, OSS Security).

The vulnerability is classified as a heap-based out-of-bounds write (CWE-787) and a classic buffer overflow (CWE-120). The issue occurs specifically in the HFS filesystem driver at fs/hfs.c:382. The CVSS v3.1 base score is rated as 7.8 HIGH by NVD (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and 6.7 MEDIUM by Red Hat (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) (NVD).

This vulnerability can lead to heap-based out-of-bounds writes, impacting GRUB's sensitive data integrity. The most severe potential consequence is the bypass of secure boot protections. The vulnerability affects GRUB2 version 2.12 and various Red Hat Enterprise Linux versions including 7.0, 8.0, and 9.0, as well as Red Hat OpenShift Container Platform 4.0 (NVD).

The vulnerability has been reported and tracked in Red Hat's bug tracking system. Users are advised to apply security updates when they become available. The issue is being tracked under Red Hat Bugzilla ID 2345858 (Red Hat Bugzilla).