CVE-2019-5747 — Out-of-bounds Read in Busybox

CWE-125 — Out-of-bounds Read9 documents7 sources

Severity

7.5HIGHNVD

EPSS

0.4%

top 41.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Canonical Ubuntu Linux

Timeline

PublishedJan 9

Latest updateMay 14

Description

An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.30.1-2 (bookworm)

▶Debianbusybox/busybox< 1:1.30.1-2+3

▶Ubuntubusybox/busybox< 1:1.21.0-1ubuntu1.4+2

▶NVDbusybox/busybox1.30.0

Also affects: Ubuntu Linux 14.04, 16.04, 18.04, 18.10

Patches

Patch: git.busybox.net ↗Patch: git.busybox.net ↗

🔴Vulnerability Details

GHSA

GHSA-h49r-cwwr-2hv6: An issue was discovered in BusyBox through 1↗2022-05-14

▶

OSV

busybox vulnerabilities↗2019-04-03

▶

OSV

CVE-2019-5747: An issue was discovered in BusyBox through 1↗2019-01-09

▶

📋Vendor Advisories

Ubuntu

BusyBox vulnerabilities↗2019-04-03

▶

Red Hat

busybox: Out of bounds read in udhcp components resulting in information disclosure↗2019-01-09

▶

Debian

CVE-2019-5747: busybox - An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhc...↗2019

▶

💬Community

Bugzilla

CVE-2019-5747 busybox: Out of bounds read in udhcp components resulting in information disclosure↗2019-01-17

▶

Bugzilla

CVE-2019-5747 busybox: Out of bounds read in udhcp components resulting in information disclosure [fedora-all]↗2019-01-17

▶