Information disclosure in BusyBox

Published: 2019-01-14 09:25:37
Severity Low
Patch available YES
Number of vulnerabilities 1
CVE ID CVE-2019-5747
CVSSv3 4.8 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C]
CWE ID CWE-125
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software BusyBox
Vulnerable software versions BusyBox 1.28.1
BusyBox 1.28.2
BusyBox 1.28.3

Show more

Vendor URL busybox.net

Security Advisory

1) Out-of-bounds read

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in udhcp components (consumed by the DHCP server, client, and/or relay). A remote attacker can leak sensitive information from the stack by sending a crafted DHCP message.

Remediation

Install updates from vendor's website.

External links

https://bugs.busybox.net/show_bug.cgi?id=11506
https://git.busybox.net/busybox/commit/?id=74d9f1ba37010face4bd1449df4d60dd84450b06

Back to List