CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

docker-library / busybox

Docker Official Image packaging for Busybox

http://busybox.net

391 stars 126 forks source link

CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors. #133

Open amehta-mstr opened 2 years ago

amehta-mstr commented 2 years ago

CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Severity: Critical with 9.8 score

tianon commented 2 years ago

Unfortunately, there hasn't been a new release of BusyBox that includes a fix: https://busybox.net/ :disappointed:

That being said, I obviously can't speak for all users of this image, but I imagine that specific vulnerable workflow is going to be very rare with users of this image. :sweat_smile:

addisonautomates commented 1 year ago

Any update on this? About to have to abandon alpine linux (busybox dependency) at my company unless we can get an idea if this will ever be addressed. Based on the last release it feels like busybox is dead and thus will retaining these vulnerabilities indefinitely which various vuln software rate as Critical or High

tianon commented 1 year ago

Unfortunately, you're asking the wrong folks -- we don't maintain BusyBox, just the Docker container image packaging of it that's available at https://hub.docker.com/_/busybox.

tianon commented 8 months ago

I think https://bugs.busybox.net/show_bug.cgi?id=CVE-2022-28391 is probably the appropriate place to track this :eyes: