CVE-2021-42383 — Use After Free in Busybox

CWE-416 — Use After Free9 documents6 sources

Severity

7.2HIGHNVD

EPSS

0.3%

top 47.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Fedoraproject Fedora

Timeline

PublishedNov 15

Latest updateJun 15

Description

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HExploitability: 1.2 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/busybox< busybox 1:1.35.0-1 (bookworm)

▶CVEListV5busybox/busyboxunspecified — 1.34.0

▶Debianbusybox/busybox< 1:1.35.0-1+2

▶NVDbusybox/busybox1.33.1

Also affects: Fedora 33, 34

🔴Vulnerability Details

GHSA

GHSA-xhv3-6p64-vccw: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate↗2022-05-24

▶

OSV

CVE-2021-42383: A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate↗2021-11-15

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 TM MFP BIOS↗2023-06-15

▶

CISA ICS

Siemens SINAMICS Medium Voltage Products↗2023-06-15

▶

CISA ICS

Siemens SCALANCE Third-Party↗2023-03-21

▶

CISA ICS

Siemens SCALANCE, RUGGEDCOM Third-Party↗2023-03-16

▶

Red Hat

busybox: use-after-free in awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate()↗2021-11-09

▶