CVE-2023-32668

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-32668
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

5.5 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 Release Notes
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 Patch
https://tug.org/pipermail/tex-live/2023-May/049188.html Issue Tracking Mailing List Mitigation
https://tug.org/~mseven/luatex.html#luasocket Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*
cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*
History

23 May 2023, 17:31

Type Values Removed Values Added
References (MISC) https://tug.org/~mseven/luatex.html#luasocket - (MISC) https://tug.org/~mseven/luatex.html#luasocket - Exploit, Vendor Advisory
CVSS v2 : unknown
v3 : 9.8 		v2 : unknown
v3 : 5.5
CPE cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*
cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*
First Time Miktex
Tug
Tug tex Live
Miktex miktex

20 May 2023, 18:15

Type Values Removed Values Added
References
  • (MISC) https://tug.org/~mseven/luatex.html#luasocket -
Summary LuaTeX before 1.17.0 enables the socket library by default. LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

19 May 2023, 01:53

Type Values Removed Values Added
First Time Luatex Project luatex
Luatex Project
References (MISC) https://tug.org/pipermail/tex-live/2023-May/049188.html - (MISC) https://tug.org/pipermail/tex-live/2023-May/049188.html - Issue Tracking, Mailing List, Mitigation
References (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0 - Patch
References (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - (MISC) https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3 - Release Notes
CPE cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
CWE NVD-CWE-noinfo
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8

11 May 2023, 06:15

Type Values Removed Values Added
New CVE
Information

Published : 2023-05-11 06:15

Updated : 2023-12-10 15:01

NVD link : CVE-2023-32668

Mitre link : CVE-2023-32668

CVE.ORG link : CVE-2023-32668

JSON object : View

Products Affected

tug

  • tex_live

miktex

  • miktex

luatex_project

  • luatex
CWE
NVD-CWE-noinfo