CVE-2021-42377

Name
CVE-2021-42377
Description
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
N/A https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
CONFIRM https://security.netapp.com/advisory/ntap-20211223-0002/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:busybox:busybox:1.33.0:*:*:*:*:*:*:* busybox == None == 1.33.0
cpe:2.3:a:busybox:busybox:1.33.1:*:*:*:*:*:*:* busybox == None == 1.33.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
busybox 3.14-main 1.33.1-r8 Natanael Copa <ncopa@alpinelinux.org> fixed