CVE-2021-42374

Name
CVE-2021-42374
Description
An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
N/A https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
CONFIRM https://security.netapp.com/advisory/ntap-20211223-0002/
reefs@jfrog.com https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
vendor-advisory https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
af854a3a-2127-422b-91ae-364da2661108 https://lists.debian.org/debian-lts-announce/2025/01/msg00012.html

Match rules

CPE URI Source package Min version Max version
busybox >= unspecified < 1.34.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
busybox edge-main 1.34.0_r0 None fixed
busybox edge-main 1.34.0-r0 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox edge-main 1.33.0-r5 None possibly vulnerable
busybox edge-main 1.30.1-r2 None possibly vulnerable
busybox edge-main 1.29.3-r10 None possibly vulnerable
busybox edge-main 1.28.3-r2 None possibly vulnerable
busybox edge-main 1.27.2-r4 None possibly vulnerable
busybox 3.22-main 1.34.0-r0 None fixed
busybox 3.22-main 1.33.0-r5 None possibly vulnerable
busybox 3.22-main 1.30.1-r2 None possibly vulnerable
busybox 3.22-main 1.29.3-r10 None possibly vulnerable
busybox 3.22-main 1.28.3-r2 None possibly vulnerable
busybox 3.22-main 1.27.2-r4 None possibly vulnerable
busybox 3.21-main 1.34.0-r0 None fixed
busybox 3.21-main 1.33.0-r5 None possibly vulnerable
busybox 3.21-main 1.30.1-r2 None possibly vulnerable
busybox 3.21-main 1.29.3-r10 None possibly vulnerable
busybox 3.21-main 1.28.3-r2 None possibly vulnerable
busybox 3.21-main 1.27.2-r4 None possibly vulnerable
busybox 3.20-main 1.34.0-r0 None fixed
busybox 3.20-main 1.33.0-r5 None possibly vulnerable
busybox 3.20-main 1.30.1-r2 None possibly vulnerable
busybox 3.20-main 1.29.3-r10 None possibly vulnerable
busybox 3.20-main 1.28.3-r2 None possibly vulnerable
busybox 3.20-main 1.27.2-r4 None possibly vulnerable
busybox 3.19-main 1.34.0-r0 None fixed
busybox 3.19-main 1.33.0-r5 None possibly vulnerable
busybox 3.19-main 1.30.1-r2 None possibly vulnerable
busybox 3.19-main 1.29.3-r10 None possibly vulnerable
busybox 3.19-main 1.28.3-r2 None possibly vulnerable
busybox 3.19-main 1.27.2-r4 None possibly vulnerable
busybox 3.18-main 1.34.0-r0 None fixed
busybox 3.17-main 1.34.0-r0 None fixed
busybox 3.12-main 1.31.1-r22 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox 3.12-main 1.31.1-r21 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox 3.11-main 1.31.1-r11 Natanael Copa <ncopa@alpinelinux.org> fixed