CVE-2020-11722
Published: 12 April 2020
Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.
Priority
Status
Package | Release | Status |
---|---|---|
crawl Launchpad, Ubuntu, Debian |
focal |
Needs triage
|
impish |
Not vulnerable
(2:0.25.0-1)
|
|
groovy |
Not vulnerable
(2:0.25.0-1)
|
|
hirsute |
Not vulnerable
(2:0.25.0-1)
|
|
xenial |
Needs triage
|
|
jammy |
Not vulnerable
(2:0.25.0-1)
|
|
kinetic |
Not vulnerable
(2:0.25.0-1)
|
|
lunar |
Not vulnerable
(2:0.25.0-1)
|
|
bionic |
Needs triage
|
|
eoan |
Ignored
(end of life)
|
|
trusty |
Does not exist
|
|
upstream |
Needs triage
|
|
mantic |
Not vulnerable
(2:0.25.0-1)
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11722
- https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html
- https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04
- https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28
- NVD
- Launchpad
- Debian