CVE-2021-42377

CRITICAL

Busybox - Remote Code Execution

Title source: rule

Description

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

References (5)

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/

[Third Party Advisory] https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20211223-0002/

[Various Sources] https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog

Scores

CVSS v3 9.8

EPSS 0.0285

EPSS Percentile 86.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-590 CWE-763

Status published

Products (14)

busybox/busybox 1.33.0

busybox/busybox 1.33.1

fedoraproject/fedora 33

fedoraproject/fedora 34

netapp/cloud_backup

netapp/h300e_firmware

netapp/h300s_firmware

netapp/h410s_firmware

netapp/h500e_firmware

netapp/h500s_firmware

... and 4 more

Published Nov 15, 2021

Tracked Since Feb 18, 2026