Skip to main content

Busybox CVE-2017-16544

HIGH
Code Injection (CWE-94)
2017-11-20 cve@mitre.org
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 20, 2017 - 15:29 cve.org
HIGH 8.8

DescriptionCVE.org

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

AnalysisAI

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Code Injection (CWE-94), which allows attackers to inject and execute arbitrary code within the application. In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks. Affected products include: Busybox, Debian Debian Linux, Vmware Esxi, Redlion N-Tron 702-W Firmware, Redlion N-Tron 702M12-W Firmware. Version information: through 1.27.2.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Never evaluate user-controlled input as code. Use sandboxing, disable dangerous functions, apply strict input validation.

CVE-2016-2148 CRITICAL POC
9.8 Feb 09

Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecif

CVE-2016-2147 HIGH POC
7.5 Feb 09

Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of servi

CVE-2022-28391 HIGH POC
8.8 Apr 03

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's

CVE-2022-30065 HIGH POC
7.8 May 18

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a

CVE-2019-5747 HIGH POC
7.5 Jan 09

An issue was discovered in BusyBox through 1.30.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2013-1813 HIGH POC
7.2 Nov 23

util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories

CVE-2021-42377 CRITICAL
9.8 Nov 15

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when

CVE-2018-1000517 CRITICAL
9.8 Jun 26

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow

CVE-2017-15873 MEDIUM POC
5.5 Oct 24

The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that m

CVE-2023-42366 MEDIUM POC
5.5 Nov 27

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. Rated medium severit

CVE-2023-42365 MEDIUM POC
5.5 Nov 27

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar functio

CVE-2023-42364 MEDIUM POC
5.5 Nov 27

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk patte

Share

CVE-2017-16544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy