Vulnerabilities > Busybox

DATE CVE VULNERABILITY TITLE RISK
2017-10-24 CVE-2017-15874 Integer Underflow (Wrap or Wraparound) vulnerability in Busybox 1.27.2
archival/libarchive/decompress_unlzma.c in BusyBox 1.27.2 has an Integer Underflow that leads to a read access violation.
network
busybox CWE-191
4.3
2017-10-24 CVE-2017-15873 Integer Overflow or Wraparound vulnerability in multiple products
The get_next_block function in archival/libarchive/decompress_bunzip2.c in BusyBox 1.27.2 has an Integer Overflow that may lead to a write access violation.
4.3
2017-08-07 CVE-2011-5325 Path Traversal vulnerability in multiple products
Directory traversal vulnerability in the BusyBox implementation of tar before 1.22.0 v5 allows remote attackers to point to files outside the current working directory via a symlink.
network
low complexity
busybox debian canonical CWE-22
5.0
2017-03-12 CVE-2014-9645 Improper Input Validation vulnerability in Busybox
The add_probe function in modutils/modprobe.c in BusyBox before 1.23.0 allows local users to bypass intended restrictions on loading kernel modules via a / (slash) character in a module name, as demonstrated by an "ifconfig /usbserial up" command or a "mount -t /snd_pcm none /" command.
local
low complexity
busybox CWE-20
2.1
2017-02-09 CVE-2016-2148 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Heap-based buffer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to have unspecified impact via vectors involving OPTION_6RD parsing.
network
low complexity
busybox debian canonical CWE-119
7.5
2017-02-09 CVE-2016-2147 Integer Overflow or Wraparound vulnerability in multiple products
Integer overflow in the DHCP client (udhcpc) in BusyBox before 1.25.0 allows remote attackers to cause a denial of service (crash) via a malformed RFC1035-encoded domain name, which triggers an out-of-bounds heap write.
network
low complexity
busybox debian canonical CWE-190
5.0
2016-12-09 CVE-2016-6301 Resource Management Errors vulnerability in Busybox
The recv_and_process_client_pkt function in networking/ntpd.c in busybox allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged NTP packet, which triggers a communication loop.
network
low complexity
busybox CWE-399
7.8
2013-11-23 CVE-2013-1813 Permissions, Privileges, and Access Controls vulnerability in multiple products
util-linux/mdev.c in BusyBox before 1.21.0 uses 0777 permissions for parent directories when creating nested directories under /dev/, which allows local users to have unknown impact and attack vectors.
local
low complexity
redhat t-mobile busybox CWE-264
7.2
2012-07-03 CVE-2011-2716 Improper Input Validation vulnerability in multiple products
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.
high complexity
t-mobile busybox CWE-20
6.8
2006-04-04 CVE-2006-1058 Use of Password Hash With Insufficient Computational Effort vulnerability in multiple products
BusyBox 1.1.1 does not use a salt when generating passwords, which makes it easier for local users to guess passwords from a stolen password file using techniques such as rainbow tables.
local
low complexity
busybox avaya CWE-916
5.5