JFrog Security Research
< Back

XRAY-189474 - BusyBox hush Untrusted Free

CVE-2021-42377 | CVSS 9.8

JFrog Severity:medium

Discovered ByJFrog Collabof the JFrog Security Research Team

Published 9 Nov, 2021 | Last updated 9 Nov, 2021

An attacker-controlled pointer free in Busybox hush leads to remote code execution when processing malformed command line arguments


BusyBox [1.33.0, 1.33.1], fixed in 1.34.0

The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.

An attacker-controlled pointer free in hush leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input. An attacker that controls hush command line arguments can trigger this issue.

No PoC is supplied for this issue

No vulnerability mitigations are supplied for this issue

(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog


< Back