Candidate: CVE-2021-42377
PublicDate: 2021-11-15 21:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42377
 https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/
Description:
 An attacker-controlled pointer free in Busybox's hush applet leads to
 denial of service and possible code execution when processing a crafted
 shell command, due to the shell mishandling the &&& string. This may be
 used for remote code execution under rare conditions of filtered command
 input.
Ubuntu-Description:
Notes:
 mdeslaur> 1.33.0+
Mitigation:
Bugs:
Priority: low
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_busybox:
upstream_busybox: released (1.34.0)
trusty/esm_busybox: not-affected
esm-infra/xenial_busybox: not-affected
trusty_busybox: ignored (out of standard support)
xenial_busybox: ignored (out of standard support)
bionic_busybox: not-affected (1:1.27.2-2ubuntu3.3)
focal_busybox: not-affected (1:1.30.1-4ubuntu6.3)
hirsute_busybox: not-affected (1:1.30.1-6ubuntu2)
impish_busybox: not-affected (1:1.30.1-6ubuntu3)
jammy_busybox: not-affected (1:1.30.1-6ubuntu3)
devel_busybox: not-affected (1:1.30.1-6ubuntu3)