CVE-2022-28391 — Argument Injection in Busybox

CWE-88 — Argument Injection CWE-77 — Command Injection7 documents7 sources

Severity

8.8HIGHNVD

EPSS

2.4%

top 14.97%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Busybox Debian Busybox Msrc Azl3 Busybox 1.36.1-12 ON Azure Linux 3.0 +19 more

Timeline

PublishedApr 3

Latest updateJun 15

Description

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages23 packages

▶Alpinebusybox/busybox< 1.31.1-r22+11

▶NVDbusybox/busybox1.35.0

▶debiandebian/busybox

▶msrcmsrc/cm1_busybox_1.34.1-2_on_cbl_mariner_1.0

▶msrcmsrc/azl3_busybox_1.36.1-3_on_azure_linux_3.0

Patches

Patch: git.alpinelinux.org ↗Patch: git.alpinelinux.org ↗Patch: gitlab.alpinelinux.org ↗

🔴Vulnerability Details

GHSA

GHSA-h8c3-8522-vxc6: BusyBox through 1↗2022-04-04

▶

OSV

CVE-2022-28391: BusyBox through 1↗2022-04-03

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 TM MFP BIOS↗2023-06-15

▶

Microsoft

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively the attacker could choose to ch↗2022-04-12

▶

Red Hat

busybox: remote attackers may execute arbitrary code if netstat is used↗2022-04-03

▶

Debian

CVE-2022-28391: busybox - BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if nets...↗2022

▶