JFrog Security Research

XRAY-189480 - BusyBox awk evaluate UaF

CVE-2021-42383 | CVSS 7.2

JFrog Severity:medium

Published 9 Nov. 2021 | Last updated 9 Nov. 2021

A use-after-free in Busybox awk leads to remote code execution when processing malformed command line arguments

BusyBox

BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function. An attacker that controls the awk pattern (through the command line argument) can trigger this issue.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog

NVD