CVE-2017-16544
8.8
HIGH
CVSS 3.1
EPSS 1.2%
Description
In the add_match function in libbb/lineedit.c in BusyBox through 1.27.2, the tab autocomplete feature of the shell, used to get a list of filenames in a directory, does not sanitize filenames and results in executing any escape sequence in the terminal. This could potentially result in code execution, arbitrary file writes, or other attacks.
How to fix CVE-2017-16544
To remediate CVE-2017-16544, upgrade the affected package to a fixed version below.
- —upgrade to 1.27.2-r4 or later
- —upgrade to 1:1.27.2-2 or later
Is CVE-2017-16544 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 1.27.2-r4
- from 0, < 1:1.27.2-2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |