CVE-2017-16544
published 2017-11-20CVE-2017-16544: In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a…
high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| busybox | busybox | <= 1.27.2 | — |
| busybox | busybox | >= 0 < 1:1.27.2-2 | 1:1.27.2-2 |
| busybox | busybox | >= 0 < 1:1.27.2-2 | 1:1.27.2-2 |
| busybox | busybox | >= 0 < 1:1.27.2-2 | 1:1.27.2-2 |
| busybox | busybox | >= 0 < 1:1.27.2-2 | 1:1.27.2-2 |
| busybox | busybox | >= 0 < 1:1.21.0-1ubuntu1.4 | 1:1.21.0-1ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.22.0-15ubuntu1.4 | 1:1.22.0-15ubuntu1.4 |
| busybox | busybox | >= 0 < 1:1.27.2-2ubuntu3.2 | 1:1.27.2-2ubuntu3.2 |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | busybox | < busybox 1:1.27.2-2 (bookworm) | busybox 1:1.27.2-2 (bookworm) |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| vmware | esxi | — | — |
| vmware | esxi | — | — |
| vmware | esxi | — | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH