CVE-2017-16544

high

Description

In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.

References

https://www.twistlock.com/2017/11/20/cve-2017-16544-busybox-autocompletion-vulnerability/

https://usn.ubuntu.com/3935-1/

https://us-cert.cisa.gov/ics/advisories/icsa-20-240-01

https://lists.debian.org/debian-lts-announce/2021/02/msg00020.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00037.html

https://git.busybox.net/busybox/commit/?id=c3797d40a1c57352192c6106cc0f435e7d9c11e8

http://www.vmware.com/security/advisories/VMSA-2019-0013.html

Details

Source: Mitre, NVD

Published: 2017-11-20

Updated: 2022-10-28

Risk Information

CVSS v2

Base Score: 6.5

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Severity: High