CVE-2021-42384
Published: 15 November 2021
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function
Notes
| Author | Note |
|---|---|
| ccdm94 | fix (importing awk.c from busybox version >= 1.34.0 due to large amount of changes made to the awk.c code) introduces a regression to busybox awk in xenial and earlier. Applying changes from the commit which prevents this regression from happening (237bedd499c) could result in further regressions being introduced to other applets in busybox. This happens because interfaces for applets are altered in this commit, and the calls to get them executed through busybox are modified. External applications which use busybox could end up with regressions as well because of this. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
busybox Launchpad, Ubuntu, Debian |
bionic |
Released
(1:1.27.2-2ubuntu3.4)
|
| focal |
Released
(1:1.30.1-4ubuntu6.4)
|
|
| jammy |
Released
(1:1.30.1-7ubuntu2)
|
|
| trusty |
Ignored
(see notes)
|
|
| upstream |
Released
(1.34.0)
|
|
| xenial |
Ignored
(see notes)
|
|
| hirsute |
Released
(1:1.30.1-6ubuntu2.1)
|
|
| impish |
Released
(1:1.30.1-6ubuntu3.1)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.2 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | High |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |