JFrog Security Research
< Back

XRAY-189477 - BusyBox awk clrvar UaF

CVE-2021-42380 | CVSS 7.2

JFrog Severity:medium

Discovered ByJFrog Collabof the JFrog Security Research Team

Published 9 Nov, 2021 | Last updated 9 Nov, 2021

A use-after-free in Busybox awk leads to remote code execution when processing malformed command line arguments


BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function. An attacker that controls the awk pattern (through the command line argument) can trigger this issue.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog


< Back