CVE-2022-48174Out-of-bounds Write in Busybox

CWE-787Out-of-bounds Write16 documents9 sources
Severity
9.8CRITICALNVD
OSV7.5
EPSS
0.7%
top 28.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
BusyboxDebian BusyboxDebian Linux+3 more
Timeline
PublishedAug 22
Latest updateAug 14

Description

There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

debiandebian/busybox< busybox 1:1.30.1-6+deb11u1 (bullseye)
Debianbusybox/busybox< 1:1.30.1-6+deb11u1+2
Ubuntubusybox/busybox< 1:1.30.1-4ubuntu6.5+5
NVDbusybox/busybox1.36.1

Also affects: Debian Linux 11.0

🔴Vulnerability Details

4
OSV
busybox vulnerabilities2024-08-14
OSV
busybox vulnerabilities2023-09-04
GHSA
GHSA-w9cc-xrp8-ffx4: There is a stack overflow vulnerability in ash2023-08-22
OSV
CVE-2022-48174: There is a stack overflow vulnerability in ash2023-08-22

📋Vendor Advisories

7
Ubuntu
BusyBox vulnerabilities2024-08-14
Oracle
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-481742024-07-15
Oracle
Oracle Oracle Communications Risk Matrix: OSO (BusyBox) — CVE-2022-481742024-01-15
Ubuntu
BusyBox vulnerabilities2023-09-04
Red Hat
busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution2023-08-22

🕵️Threat Intelligence

4
Qualys
Oracle Critical Patch Update, July 2024 Security Update Review2024-07-17
Qualys
Oracle Critical Patch Security Update: July 2024 Review | Qualys2024-07-17
Qualys
Oracle Patch Update, January 2024 Security Update Review2024-01-17
Qualys
Oracle Patch Update, January 2024 Security Update Review | Qualys2024-01-17