CVE-2021-42377
15.11.2021, 21:15
An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.Enginsight
| Vendor | Product | Version |
|---|---|---|
| busybox | busybox | 1.33.0 |
| busybox | busybox | 1.33.1 |
| netapp | cloud_backup | - |
| netapp | hci_management_node | - |
| netapp | solidfire | - |
| netapp | h300s_firmware | - |
| netapp | h500s_firmware | - |
| netapp | h700s_firmware | - |
| netapp | h300e_firmware | - |
| netapp | h500e_firmware | - |
| netapp | h700e_firmware | - |
| netapp | h410s_firmware | - |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-590 - Free of Memory not on the HeapThe application calls free() on a pointer to memory that was not allocated using associated heap allocation functions such as malloc(), calloc(), or realloc().
- CWE-763 - Release of Invalid Pointer or ReferenceThe application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.
References