CVE-2023-32668

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*
cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:03

Type Values Removed Values Added
References () https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - Release Notes () https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - Release Notes
References () https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - Patch () https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - Patch
References () https://tug.org/pipermail/tex-live/2023-May/049188.html - Issue Tracking, Mailing List, Mitigation () https://tug.org/pipermail/tex-live/2023-May/049188.html - Issue Tracking, Mailing List, Mitigation
References () https://tug.org/~mseven/luatex.html#luasocket - Exploit, Vendor Advisory () https://tug.org/~mseven/luatex.html#luasocket - Exploit, Vendor Advisory

23 May 2023, 17:31

Type Values Removed Values Added
References (MISC) https://tug.org/~mseven/luatex.html#luasocket - (MISC) https://tug.org/~mseven/luatex.html#luasocket - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : 9.8
v2 : unknown
v3 : 5.5
CPE cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*
cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*

20 May 2023, 18:15

Type Values Removed Values Added
Summary LuaTeX before 1.17.0 enables the socket library by default. LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
References
  • (MISC) https://tug.org/~mseven/luatex.html#luasocket -

19 May 2023, 01:53

Type Values Removed Values Added
References (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - Release Notes
References (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - Patch
References (MISC) https://tug.org/pipermail/tex-live/2023-May/049188.html - (MISC) https://tug.org/pipermail/tex-live/2023-May/049188.html - Issue Tracking, Mailing List, Mitigation
CPE cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

11 May 2023, 06:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-05-11 06:15

Updated : 2024-11-21 08:03


NVD link : CVE-2023-32668

Mitre link : CVE-2023-32668

CVE.ORG link : CVE-2023-32668


JSON object : View

Products Affected

miktex

  • miktex

luatex_project

  • luatex

tug

  • tex_live