CVE-2021-42377

Name
CVE-2021-42377
Description
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
N/A https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
CONFIRM https://security.netapp.com/advisory/ntap-20211223-0002/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:busybox:busybox:1.33.0:*:*:*:*:*:*:* busybox == None == 1.33.0
cpe:2.3:a:busybox:busybox:1.33.1:*:*:*:*:*:*:* busybox == None == 1.33.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
busybox edge-main 1.33.0-r5 None fixed
busybox 3.22-main 1.33.0-r5 None fixed
busybox 3.21-main 1.33.0-r5 None fixed
busybox 3.20-main 1.33.0-r5 None fixed
busybox 3.19-main 1.33.0-r5 None fixed