| description | title | date_published | last_updated | xray_id | vul_id | cvss | severity | discovered_by | type |
|---|---|---|---|---|---|---|---|---|---|
CVE-2021-42386 Medium severity. A use-after-free in Busybox awk leads to remote code execution when processing malformed command line arguments |
BusyBox awk nvalloc UaF |
2021-11-09 |
2021-11-09 |
XRAY-189483 |
CVE-2021-42386 |
7.2 |
medium |
JFrog Collab |
vulnerability |
A use-after-free in Busybox awk leads to remote code execution when processing malformed command line arguments
BusyBox [1.33.0, 1.33.1], fixed in 1.34.0
The BusyBox toolkit implements a large number of Linux tools in a single executable and can even replace the Linux init system. Its small size and flexibility make it popular in embedded devices.
A use-after-free in awk leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function.
An attacker that controls the awk pattern (through the command line argument) can trigger this issue.
No PoC is supplied for this issue
No vulnerability mitigations are supplied for this issue
(JFrog) Unboxing BusyBox - 14 new vulnerabilities uncovered by Claroty and JFrog