An out-of-bounds heap read in Busybox's unlzma applet leads to information leak and denial of service when crafted LZMA-compressed input is decompressed. This can be triggered by any applet/format that

Attack Vector Local

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

AV:L/AC:M/Au:N/C:P/I:N/A:P
Vendors Products
Netapp
  • H700s
  • H700e
  • H500s
  • H410s Firmware
  • Hci Management Node
  • H300e Firmware
  • H500s Firmware
  • H300s Firmware
  • H700s Firmware
  • Cloud Backup
  • Solidfire
  • H500e
  • H700e Firmware
  • H300e
  • H300s
  • H410s
  • H500e Firmware
Fedoraproject
  • Fedora
Busybox
  • Busybox

Configuration 1 [-]

cpe:2.3:a:busybox:busybox:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*

Configuration 3 [-]

OR cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:netapp:h300e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300e:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:netapp:h500e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500e:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:netapp:h700e_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700e:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
References
Link Resource
https://claroty.com/team82/research/unboxing-busybox-14-vulnerabilities-uncovered-by-claroty-jfrog
https://jfrog.com/blog/unboxing-busybox-14-new-vulnerabilities-uncovered-by-claroty-and-jfrog/ Exploit Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T2TURBYYJGBMQTTN2DSOAIQGP7WCPGV/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UQXGOGWBIYWOIVXJVRKHZR34UMEHQBXS/
https://security.netapp.com/advisory/ntap-20211223-0002/ Third Party Advisory
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: JFROG

Published: 2021-11-15T00:00:00

Updated: 2023-04-25T00:00:00

Reserved: 2021-10-14T00:00:00

Link: CVE-2021-42374

JSON object: View

cve-icon NVD Information

Status : Modified

Published: 2021-11-15T21:15:07.540

Modified: 2023-11-07T03:39:09.877

Link: CVE-2021-42374

JSON object: View

cve-icon Redhat Information

No data.

CWE