CVE-2021-42376

Name
CVE-2021-42376
Description
A NULL pointer dereference in Busybox's hush applet leads to denial of service when processing a crafted shell command, due to missing validation after a \x03 delimiter character. This may be used for DoS under very rare conditions of filtered command input.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
N/A https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
CONFIRM https://security.netapp.com/advisory/ntap-20211223-0002/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:* busybox >= 1.16.0 < 1.34.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
busybox 3.11-main 1.31.1-r11 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox 3.12-main 1.31.1-r22 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox 3.14-main 1.33.1-r8 Natanael Copa <ncopa@alpinelinux.org> fixed
busybox 3.13-main 1.32.1-r9 Natanael Copa <ncopa@alpinelinux.org> fixed