Your submission was sent successfully! Close

CVE-2021-42377

Published: 15 November 2021

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

Notes

AuthorNote
mdeslaur
1.33.0+
Priority

Low

CVSS 3 base score: 9.8

Status

Package Release Status
busybox
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(1:1.27.2-2ubuntu3.3)
focal Not vulnerable
(1:1.30.1-4ubuntu6.3)
hirsute Not vulnerable
(1:1.30.1-6ubuntu2)
impish Not vulnerable
(1:1.30.1-6ubuntu3)
jammy Not vulnerable
(1:1.30.1-6ubuntu3)
trusty Not vulnerable

upstream
Released (1.34.0)
xenial Not vulnerable