Improper input validation in Busybox
CVE-2011-2716
The DHCP client (udhcpc) in BusyBox before 1.20.0 allows remote DHCP servers to execute arbitrary commands via shell metacharacters in the (1) HOST_NAME, (2) DOMAIN_NAME, (3) NIS_DOMAIN, and (4) TFTP_SERVER_NAME host name options.
Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)
EPSS: 0.007 (72.7th percentile) — read the EPSS interpretation.
Affected products
- Busybox — versions 0.60.5, 1.00, 1.0.0
- T-mobile Tm-ac1900 — versions 3.0.0.4.376_3169
- N/a — versions n/a
Weakness classification (CWE)
References
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM)
- 45363 (x_refsource_SECUNIA, third-party-advisory, Vendor Advisory)
- secalert@redhat.com (x_refsource_CONFIRM)
- secalert@redhat.com (x_refsource_CONFIRM, Patch)
- RHSA-2012:0810 (x_refsource_REDHAT, vendor-advisory)
- 48879 (vdb-entry, x_refsource_BID)
- MDVSA-2012:129 (vendor-advisory, x_refsource_MANDRIVA)
- 20190612 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series (mailing-list, x_refsource_FULLDISC)
- 20190613 SEC Consult SA-20190612-0 :: Multiple vulnerabilities in WAGO 852 Industrial Managed Switch Series (mailing-list, x_refsource_BUGTRAQ)