busybox icon indicating copy to clipboard operation
busybox copied to clipboard

Published 20 hours ago verified publisher icon docker-library

CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Open amehta-mstr opened this issue 3 years ago • 4 comments

CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Severity: Critical with 9.8 score

amehta-mstr avatar Apr 13 '22 17:04 amehta-mstr

Unfortunately, there hasn't been a new release of BusyBox that includes a fix: https://busybox.net/ :disappointed:

That being said, I obviously can't speak for all users of this image, but I imagine that specific vulnerable workflow is going to be very rare with users of this image. :sweat_smile:

tianon avatar Apr 13 '22 20:04 tianon

Any update on this? About to have to abandon alpine linux (busybox dependency) at my company unless we can get an idea if this will ever be addressed. Based on the last release it feels like busybox is dead and thus will retaining these vulnerabilities indefinitely which various vuln software rate as Critical or High

addisonautomates avatar Nov 22 '22 18:11 addisonautomates

Unfortunately, you're asking the wrong folks -- we don't maintain BusyBox, just the Docker container image packaging of it that's available at https://hub.docker.com/_/busybox.

tianon avatar Nov 28 '22 23:11 tianon

I think https://bugs.busybox.net/show_bug.cgi?id=CVE-2022-28391 is probably the appropriate place to track this :eyes:

tianon avatar Dec 20 '23 20:12 tianon