CVE-2021-42377

Gentoo Linux Security Advisory 202407-17

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

Un puntero libre controlado por un atacante en el applet hush de Busybox conlleva a una denegación de servicio y una posible ejecución de código cuando es procesado un comando shell diseñado, debido a que el shell maneja inapropiadamente la cadena &&&. Esto puede ser usado para una ejecución de código remota bajo condiciones raras de entrada de comandos filtrados

Multiple vulnerabilities have been discovered in BusyBox, the worst of which could lead to arbitrary code execution. Versions greater than or equal to 1.34.0 are affected.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-10-14 CVE Reserved
2021-11-15 CVE Published
2024-08-04 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-590: Free of Memory not on the Heap
CWE-763: Release of Invalid Pointer or Reference

CAPEC

References (5)

URL	Tag	Source
https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211223-0002	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Netapp Search vendor "Netapp"	H300s Firmware Search vendor "Netapp" for product "H300s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300s Search vendor "Netapp" for product "H300s"	-	-	Safe
Netapp Search vendor "Netapp"	H500s Firmware Search vendor "Netapp" for product "H500s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500s Search vendor "Netapp" for product "H500s"	-	-	Safe
Netapp Search vendor "Netapp"	H700s Firmware Search vendor "Netapp" for product "H700s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700s Search vendor "Netapp" for product "H700s"	-	-	Safe
Netapp Search vendor "Netapp"	H300e Firmware Search vendor "Netapp" for product "H300e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H300e Search vendor "Netapp" for product "H300e"	-	-	Safe
Netapp Search vendor "Netapp"	H500e Firmware Search vendor "Netapp" for product "H500e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H500e Search vendor "Netapp" for product "H500e"	-	-	Safe
Netapp Search vendor "Netapp"	H700e Firmware Search vendor "Netapp" for product "H700e Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H700e Search vendor "Netapp" for product "H700e"	-	-	Safe
Netapp Search vendor "Netapp"	H410s Firmware Search vendor "Netapp" for product "H410s Firmware"	-	-	Affected	in	Netapp Search vendor "Netapp"	H410s Search vendor "Netapp" for product "H410s"	-	-	Safe
Busybox Search vendor "Busybox"		Busybox Search vendor "Busybox" for product "Busybox"				1.33.0 Search vendor "Busybox" for product "Busybox" and version "1.33.0"		-		Affected
Busybox Search vendor "Busybox"		Busybox Search vendor "Busybox" for product "Busybox"				1.33.1 Search vendor "Busybox" for product "Busybox" and version "1.33.1"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Netapp Search vendor "Netapp"		Cloud Backup Search vendor "Netapp" for product "Cloud Backup"				-		-		Affected
Netapp Search vendor "Netapp"		Hci Management Node Search vendor "Netapp" for product "Hci Management Node"				-		-		Affected
Netapp Search vendor "Netapp"		Solidfire Search vendor "Netapp" for product "Solidfire"				-		-		Affected