CVE-2021-42377 reported in prom/blackbox-exporter:v0.19.0

prometheus / blackbox_exporter

Blackbox prober exporter

https://prometheus.io

Apache License 2.0

4.7k stars 1.05k forks source link

CVE-2021-42377 reported in prom/blackbox-exporter:v0.19.0 #879

Open ggunawan opened 2 years ago

ggunawan commented 2 years ago

Our docker image scanning tools reported that prom/blackbox-exporter:v0.19.0 has CVE-2021-42377 with following description

An attacker-controlled pointer free in Busybox's hush applet leads to denial of service and possible code execution when processing a crafted shell command, due to the shell mishandling the &&& string. This may be used for remote code execution under rare conditions of filtered command input.

Is it possible creating newer version of this image to resolve this CVE ?

SuperQ commented 2 years ago

An attacker would already have to be inside the container for this to be exploitable.