CVE-2011-2716 — Improper Input Validation in Busybox

CWE-20 — Improper Input Validation8 documents7 sources

Severity

6.8MEDIUMNVD

EPSS

0.7%

top 27.80%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox T-mobile Tm-ac1900

Timeline

PublishedJul 3

Latest updateMay 13

Description

The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.

CVSS vector

AV:A/AC:H/C:C/I:C/A:CExploitability: 3.2 | Impact: 10.0

Affected Packages3 packages

▶Debianbusybox/busybox< 1:1.20.0-3+3

▶NVDbusybox/busybox1.19.4+77

▶NVDt-mobile/tm-ac19003.0.0.4.376_3169

Patches

Patch: bugs.busybox.net ↗Patch: bugs.busybox.net ↗

🔴Vulnerability Details

GHSA

GHSA-4fjg-vv5f-pmrp: The DHCP client (udhcpc) in BusyBox before 1↗2022-05-13

▶

CVEList

CVE-2011-2716: The DHCP client (udhcpc) in BusyBox before 1↗2012-07-03

▶

OSV

CVE-2011-2716: The DHCP client (udhcpc) in BusyBox before 1↗2012-07-03

▶

📋Vendor Advisories

Red Hat

busybox: udhcpc insufficient checking of DHCP options↗2011-03-18

▶

Debian

CVE-2011-2716: busybox - The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to ...↗2011

▶

💬Community

Bugzilla

CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options [fedora-all]↗2011-08-17

▶

Bugzilla

CVE-2011-2716 busybox: udhcpc insufficient checking of DHCP options↗2011-07-25

▶