CVE-2021-42377

CVE	CVE-2021-42377
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2021-11-15 21:15:00 UTC
Updated	2023-11-07 03:39:00 UTC
Description	An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

Problem Types: CWE-763

Type	Vendor	Product	Version	Update	Edition	Language
Application	Busybox	Busybox	1.33.0	All	All	All
Application	Busybox	Busybox	1.33.1	All	All	All
Operating System	Fedoraproject	Fedora	33	All	All	All
Operating System	Fedoraproject	Fedora	34	All	All	All
Application	Netapp	Cloud Backup	-	All	All	All
Hardware	Netapp	H300e	-	All	All	All
Operating System	Netapp	H300e Firmware	-	All	All	All
Hardware	Netapp	H300s	-	All	All	All
Operating System	Netapp	H300s Firmware	-	All	All	All
Hardware	Netapp	H410s	-	All	All	All
Operating System	Netapp	H410s Firmware	-	All	All	All
Hardware	Netapp	H500e	-	All	All	All
Operating System	Netapp	H500e Firmware	-	All	All	All
Hardware	Netapp	H500s	-	All	All	All
Operating System	Netapp	H500s Firmware	-	All	All	All
Hardware	Netapp	H700e	-	All	All	All
Operating System	Netapp	H700e Firmware	-	All	All	All
Hardware	Netapp	H700s	-	All	All	All
Operating System	Netapp	H700s Firmware	-	All	All	All
Application	Netapp	Hci Management Node	-	All	All	All
Application	Netapp	Solidfire	-	All	All	All

Reference	Source	Link	Tags
November 2021 BusyBox Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog \| JFrog	N/A	jfrog.com
[SECURITY] Fedora 33 Update: busybox-1.34.1-1.fc33 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Unboxing BusyBox: 14 Vulnerabilities Uncovered by Claroty, JFrog \| Claroty	MISC	claroty.com
[SECURITY] Fedora 33 Update: busybox-1.34.1-1.fc33 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
FEDORA-2021-c52c0fe490	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: busybox-1.34.1-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

183669 Debian Security Update for busybox (CVE-2021-42377)
282073 Fedora Security Update for busybox (FEDORA-2021-c52c0fe490)
282074 Fedora Security Update for busybox (FEDORA-2021-5a95823596)
671487 EulerOS Security Update for busybox (EulerOS-SA-2022-1472)
671518 EulerOS Security Update for busybox (EulerOS-SA-2022-1463)
730371 McAfee Web Gateway Multiple Vulnerabilities (WP-3335,WP-4131,WP-4159,WP-4237,WP-4259,WP-4329,WP-4348,WP-4355,WP-4376,WP-4407,WP-4421)
751624 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:0135-1)
751633 OpenSUSE Security Update for busybox (openSUSE-SU-2022:0135-1)
752794 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:3959-1)
752903 SUSE Enterprise Linux Security Update for busybox (SUSE-SU-2022:4253-1)