CVE-2022-28391 BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

[amehta-mstr]

CVE-2022-28391
BusyBox through 1.35.0 allows remote attackers to execute arbitrary code if netstat is used to print a DNS PTR record's value to a VT compatible terminal. Alternatively, the attacker could choose to change the terminal's colors.

Severity: Critical with 9.8 score

[tianon]

Unfortunately, there hasn't been a new release of BusyBox that includes a fix: https://busybox.net/ 😞

That being said, I obviously can't speak for all users of this image, but I imagine that specific vulnerable workflow is going to be very rare with users of this image. 😅

[addisonautomates]

Any update on this? About to have to abandon alpine linux (busybox dependency) at my company unless we can get an idea if this will ever be addressed. Based on the last release it feels like busybox is dead and thus will retaining these vulnerabilities indefinitely which various vuln software rate as Critical or High

[tianon]

Unfortunately, you're asking the wrong folks -- we don't maintain BusyBox, just the Docker container image packaging of it that's available at https://hub.docker.com/_/busybox.

[tianon]

I think https://bugs.busybox.net/show_bug.cgi?id=CVE-2022-28391 is probably the appropriate place to track this 👀