Chiencc / asuswrt-gt-ac5300

asuswrt-gt-ac5300
Other
0 stars 0 forks source link

busyboxbusybox-1.25.1: 13 vulnerabilities (highest severity is: 7.8) - autoclosed #52

Closed mend-for-github-com[bot] closed 1 year ago

mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (busyboxbusybox version) Remediation Available
CVE-2022-30065 High 7.8 busyboxbusybox-1.25.1 Direct N/A
CVE-2021-28831 High 7.5 busyboxbusybox-1.25.1 Direct busybox - 1:1.22.0-19+deb9u2
CVE-2021-42384 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42385 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42386 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42380 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42381 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42382 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42383 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42378 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2021-42379 High 7.2 busyboxbusybox-1.25.1 Direct 1_34_0
CVE-2017-1587 Medium 6.8 busyboxbusybox-1.25.1 Direct 1_28_0
CVE-2015-9261 Medium 5.5 busyboxbusybox-1.25.1 Direct 1.27.2

Details

CVE-2022-30065 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function.

Publish Date: 2022-05-18

URL: CVE-2022-30065

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2021-28831 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/archival/libarchive/decompress_gunzip.c /release/src/router/busybox/archival/libarchive/decompress_gunzip.c /release/src/router/busybox/archival/libarchive/decompress_gunzip.c

### Vulnerability Details

decompress_gunzip.c in BusyBox through 1.32.1 mishandles the error bit on the huft_build result pointer, with a resultant invalid free or segmentation fault, via malformed gzip data.

Publish Date: 2021-03-19

URL: CVE-2021-28831

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-28831

Release Date: 2021-03-19

Fix Resolution: busybox - 1:1.22.0-19+deb9u2

CVE-2021-42384 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the handle_special function

Publish Date: 2021-11-15

URL: CVE-2021-42384

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42384

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42385 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

Publish Date: 2021-11-15

URL: CVE-2021-42385

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42385

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42386 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the nvalloc function

Publish Date: 2021-11-15

URL: CVE-2021-42386

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42386

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42380 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the clrvar function

Publish Date: 2021-11-15

URL: CVE-2021-42380

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42380

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42381 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the hash_init function

Publish Date: 2021-11-15

URL: CVE-2021-42381

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42381

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42382 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_s function

Publish Date: 2021-11-15

URL: CVE-2021-42382

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42382

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42383 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the evaluate function

Publish Date: 2021-11-15

URL: CVE-2021-42383

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42383

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42378 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the getvar_i function

Publish Date: 2021-11-15

URL: CVE-2021-42378

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42378

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2021-42379 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c /release/src/router/busybox/editors/awk.c

### Vulnerability Details

A use-after-free in Busybox's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the next_input_file function

Publish Date: 2021-11-15

URL: CVE-2021-42379

### CVSS 3 Score Details (7.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42379

Release Date: 2021-11-15

Fix Resolution: 1_34_0

CVE-2017-1587 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (1)

### Vulnerability Details

The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.

Publish Date: 2020-07-21

URL: CVE-2017-1587

### CVSS 3 Score Details (6.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://ubuntu.com/security/CVE-2017-15873

Release Date: 2020-07-21

Fix Resolution: 1_28_0

CVE-2015-9261 ### Vulnerable Library - busyboxbusybox-1.25.1

BusyBox: The Swiss Army Knife of Embedded Linux BusyBox combines tiny versions of many common UNIX utilities into a single small executable. It provides replacements for most of the utilities you usually find in GNU fileutils, shellutils, etc. The utilities in BusyBox generally have fewer options than their full-featured GNU cousins; however, the options that are included provide the expected functionality and behave very much like their GNU counterparts. BusyBox provides a fairly complete environment for any small or embedded system. BusyBox has been written with size-optimization and limited resources in mind. It is also extremely modular so you can easily include or exclude commands (or features) at compile time. This makes it easy to customize your embedded systems. To create a working system, just add some device nodes in /dev, a few configuration files in /etc, and a Linux kernel.

Library home page: https://busybox.net/downloads/?wsslib=busybox

Found in HEAD commit: 0c45ce909374d16605095db4fce9a89b9b6bafd5

Found in base branch: master

### Vulnerable Source Files (3)

/release/src/router/busybox/archival/libarchive/decompress_gunzip.c /release/src/router/busybox/archival/libarchive/decompress_gunzip.c /release/src/router/busybox/archival/libarchive/decompress_gunzip.c

### Vulnerability Details

huft_build in archival/libarchive/decompress_gunzip.c in BusyBox before 1.27.2 misuses a pointer, causing segfaults and an application crash during an unzip operation on a specially crafted ZIP file.

Publish Date: 2018-07-26

URL: CVE-2015-9261

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9261

Release Date: 2018-07-26

Fix Resolution: 1.27.2

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #53

mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically closed by Mend because it is a duplicate of an existing issue: #53