Skip to main content

Busybox CVE-2023-42366

MEDIUM
Out-of-bounds Write (CWE-787)
2023-11-27 cve@mitre.org
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Nov 27, 2023 - 23:15 nvd
MEDIUM 5.5

DescriptionNVD

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159.

AnalysisAI

A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical ContextAI

This vulnerability is classified as Out-of-bounds Write (CWE-787), which allows attackers to write data beyond allocated buffer boundaries leading to code execution or crashes. A heap-buffer-overflow was discovered in BusyBox v.1.36.1 in the next_token function at awk.c:1159. Affected products include: Busybox.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Validate write boundaries, use memory-safe languages, enable compiler protections (ASLR, stack canaries).

CVE-2016-2148 CRITICAL POC
9.8 Feb 09

Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecif

CVE-2017-16544 HIGH POC
8.8 Nov 20

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used

CVE-2016-2147 HIGH POC
7.5 Feb 09

Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of servi

CVE-2022-28391 HIGH POC
8.8 Apr 03

BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's

CVE-2022-30065 HIGH POC
7.8 May 18

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a

CVE-2019-5747 HIGH POC
7.5 Jan 09

An issue was discovered in BusyBox through 1.30.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploi

CVE-2013-1813 HIGH POC
7.2 Nov 23

util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories

CVE-2021-42377 CRITICAL
9.8 Nov 15

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when

CVE-2018-1000517 CRITICAL
9.8 Jun 26

BusyBox project BusyBox wget version prior to commit 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e contains a Buffer Overflow

CVE-2017-15873 MEDIUM POC
5.5 Oct 24

The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that m

CVE-2023-42365 MEDIUM POC
5.5 Nov 27

A use-after-free vulnerability was discovered in BusyBox v.1.36.1 via a crafted awk pattern in the awk.c copyvar functio

CVE-2023-42364 MEDIUM POC
5.5 Nov 27

A use-after-free vulnerability in BusyBox v.1.36.1 allows attackers to cause a denial of service via a crafted awk patte

Share

CVE-2023-42366 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy