{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-42375", "assignerOrgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "assignerShortName": "JFROG", "dateUpdated": "2024-08-04T03:30:38.275Z", "dateReserved": "2021-10-14T00:00:00", "datePublished": "2021-11-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "48a46f29-ae42-4e1d-90dd-c1676c1e5e6d", "shortName": "JFROG", "dateUpdated": "2023-04-25T00:00:00"}, "descriptions": [{"lang": "en", "value": "An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input."}], "affected": [{"vendor": "busybox", "product": "busybox", "versions": [{"version": "unspecified", "lessThan": "1.34.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"}, {"name": "FEDORA-2021-5a95823596", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"}, {"name": "FEDORA-2021-c52c0fe490", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"}, {"url": "https://security.netapp.com/advisory/ntap-20211223-0002/"}, {"url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-159", "cweId": "CWE-159"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T03:30:38.275Z"}, "title": "CVE Program Container", "references": [{"url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/", "tags": ["x_transferred"]}, {"name": "FEDORA-2021-5a95823596", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"}, {"name": "FEDORA-2021-c52c0fe490", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"}, {"url": "https://security.netapp.com/advisory/ntap-20211223-0002/", "tags": ["x_transferred"]}, {"url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:busybox:busybox:1.33.1:*:*:*:*:*:*:*", "matchCriteriaId": "4E183752-159F-467F-9DCB-B7AED9DC2288", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*", "matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*", "matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "matchCriteriaId": "5C2089EE-5D7F-47EC-8EA5-0F69790564C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "matchCriteriaId": "A3C19813-E823-456A-B1CE-EC0684CE1953", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "matchCriteriaId": "A6E9EF0C-AFA8-4F7B-9FDC-1E0F7C26E737", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6770B6C3-732E-4E22-BF1C-2D2FD610061C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", "matchCriteriaId": "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FFF7106-ED78-49BA-9EC5-B889E3685D53", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", "matchCriteriaId": "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "56409CEC-5A1E-4450-AA42-641E459CC2AF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", "matchCriteriaId": "B06F4839-D16A-4A61-9BB5-55B13F41E47F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "108A2215-50FB-4074-94CF-C130FA14566D", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*", "matchCriteriaId": "7AFC73CE-ABB9-42D3-9A71-3F5BC5381E0E", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "32F0B6C0-F930-480D-962B-3F4EFDCC13C7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*", "matchCriteriaId": "803BC414-B250-4E3A-A478-A3881340D6B8", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "0FEB3337-BFDE-462A-908B-176F92053CEC", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*", "matchCriteriaId": "736AEAE9-782B-4F71-9893-DED53367E102", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", "matchCriteriaId": "8497A4C9-8474-4A62-8331-3FE862ED4098", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "descriptions": [{"lang": "en", "value": "An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input."}, {"lang": "es", "value": "Un manejo incorrecto de un elemento especial en el applet ash de Busybox conlleva una denegaci\u00f3n de servicio cuando es procesado un comando shell dise\u00f1ado, debido a que el shell confunde caracteres espec\u00edficos con caracteres reservados. Esto puede ser usado para DoS bajo condiciones raras de entrada de comandos filtrados"}], "id": "CVE-2021-42375", "lastModified": "2024-11-21T06:27:41.403", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 1.9, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-11-15T21:15:07.593", "references": [{"source": "reefs@jfrog.com", "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"}, {"source": "reefs@jfrog.com", "tags": ["Third Party Advisory"], "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"}, {"source": "reefs@jfrog.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"}, {"source": "reefs@jfrog.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"}, {"source": "reefs@jfrog.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211223-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20211223-0002/"}], "sourceIdentifier": "reefs@jfrog.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-159"}], "source": "reefs@jfrog.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "busybox: incorrect handling of a special element in ash applet leads to denial of service when processing a crafted shell command", "id": "2023888", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2023888"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.1", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["An incorrect handling of a special element in Busybox's ash applet leads to denial of service when processing a crafted shell command, due to the shell mistaking specific characters for reserved characters. This may be used for DoS under rare conditions of filtered command input.", "A flaw was found in BusyBox, where it did not properly sanitize while processing a special element in ash, leading to a denial of service. The highest threat from this vulnerability is to system availability."], "name": "CVE-2021-42375", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "busybox", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2021-11-09T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-42375\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-42375\nhttps://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/"], "threat_severity": "Moderate", "upstream_fix": "BusyBox 1.34.0"}