First published: Wed Jan 09 2019(Updated: )
An issue was discovered in BusyBox through 1.30.0. An out of bounds read in udhcp components (consumed by the DHCP client, server, and/or relay) might allow a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message. This is related to assurance of a 4-byte length when decoding DHCP_SUBNET. NOTE: this issue exists because of an incomplete fix for CVE-2018-20679.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Busybox Busybox | <=1.30.0 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =18.10 | |
debian/busybox | 1:1.30.1-6 1:1.35.0-4 1:1.37.0-4 | |
<=1.30.0 | ||
=14.04 | ||
=16.04 | ||
=18.04 | ||
=18.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-5747 is a vulnerability in BusyBox through 1.30.0 that allows a remote attacker to leak sensitive information from the stack by sending a crafted DHCP message.
CVE-2019-5747 has a severity rating of 7.5 (High).
To fix CVE-2019-5747, update to BusyBox version 1.27.2-2ubuntu5 or later.
You can find more information about CVE-2019-5747 at the following references: <ul><li><a href='https://bugs.busybox.net/show_bug.cgi?id=11506' target='_blank'>https://bugs.busybox.net/show_bug.cgi?id=11506</a></li><li><a href='https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06' target='_blank'>https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06</a></li><li><a href='https://usn.ubuntu.com/3935-1/' target='_blank'>https://usn.ubuntu.com/3935-1/</a></li></ul>
The Common Weakness Enumeration (CWE) associated with CVE-2019-5747 is CWE-125 (Out-of-bounds Read).