CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-39810
https://notcve.org/view.php?id=CVE-2023-39810
An issue in the CPIO command of Busybox v1.33.2 allows attackers to execute a directory traversal. • http://busybox.com https://www.pentagrid.ch/en/blog/busybox-cpio-directory-traversal-vulnerability • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-48174 – busybox: stack overflow vulnerability in ash.c leads to arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-48174
There is a stack overflow vulnerability in ash.c:6030 in busybox before 1.35. In the environment of Internet of Vehicles, this vulnerability can be executed from command to arbitrary code execution. A vulnerability was found in the BusyBox package. This issue occurs via a stack overflow vulnerability in ash.c in BusyBox, which may allow arbitrary code execution. • https://bugs.busybox.net/show_bug.cgi?id=15216 https://access.redhat.com/security/cve/CVE-2022-48174 https://bugzilla.redhat.com/show_bug.cgi?id=2237153 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 1CVE-2022-30065
https://notcve.org/view.php?id=CVE-2022-30065
A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. Un uso de memoria previamente liberada en el applet awk de Busybox versión 1.35-x, conlleva a una denegación de servicio y posiblemente una ejecución de código cuando es procesado un patrón awk diseñado en la función copyvar • https://bugs.busybox.net/show_bug.cgi?id=14781 https://cert-portal.siemens.com/productcert/pdf/ssa-333517.pdf • CWE-416: Use After Free •
CVSS: 8.8EPSS: 1%CPEs: 1EXPL: 1CVE-2022-28391
https://notcve.org/view.php?id=CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. BusyBox versiones hasta 1.35.0, permite a atacantes remotos ejecutar código arbitrario si es usado netstat para imprimir el valor de un registro PTR de DNS en un terminal compatible con VT. Alternativamente, el atacante podría optar por cambiar los colores de la terminal • https://git.alpinelinux.org/aports/plain/main/busybox/0001-libbb-sockaddr2str-ensure-only-printable-characters-.patch https://git.alpinelinux.org/aports/plain/main/busybox/0002-nslookup-sanitize-all-printed-strings-with-printable.patch https://gitlab.alpinelinux.org/alpine/aports/-/issues/13661 •
CVSS: 5.5EPSS: 0%CPEs: 21EXPL: 0CVE-2021-42373
https://notcve.org/view.php?id=CVE-2021-42373
A NULL pointer dereference in Busybox's man applet leads to denial of service when a section name is supplied but no page argument is given Una desreferencia de puntero NULL en el applet man de Busybox conlleva a una denegación de servicio cuando se proporciona un nombre de sección pero no se da ningún argumento de página • https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS https://security.netapp.com/advisory/ntap-20211223-0002 • CWE-476: NULL Pointer Dereference •