First published: Mon Nov 15 2021(Updated: )
A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function
Credit: reefs@jfrog.com reefs@jfrog.com reefs@jfrog.com
Affected Software | Affected Version | How to fix |
---|---|---|
Busybox Busybox | >=1.16.0<=1.33.1 | |
Fedoraproject Fedora | =33 | |
Fedoraproject Fedora | =34 | |
debian/busybox | <=1:1.30.1-6 | 1:1.35.0-4 1:1.36.1-9 |
>=1.16.0<=1.33.1 | ||
=33 | ||
=34 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2021-42378 is a use-after-free vulnerability in Busybox's awk applet that can lead to denial of service and possibly code execution.
CVE-2021-42378 can affect you if you are using an affected version of Busybox, potentially leading to denial of service and code execution.
The following versions of Busybox are affected by CVE-2021-42378: 1:1.27.2-2ubuntu3.4, 1:1.30.1-4ubuntu6.4, 1:1.30.1-6ubuntu2.1, 1:1.30.1-6ubuntu3.1, 1:1.30.1-7ubuntu2, 1.34.0, 1:1.35.0-4, 1:1.36.1-3.1.
To fix CVE-2021-42378, you should update Busybox to a version that includes the necessary security patches.
For more information about CVE-2021-42378, you can visit the following references: [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378), [JFrog Blog](https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/), [Ubuntu Security Notices](https://ubuntu.com/security/notices/USN-5179-1).