CVE-2023-32668
Published: 11 May 2023
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Priority
Status
Package | Release | Status |
---|---|---|
texlive-bin Launchpad, Ubuntu, Debian |
focal |
Released
(2019.20190605.51237-3ubuntu0.2)
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Released
(2022.20220321.62855-6)
|
|
xenial |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
bionic |
Needed
|
|
mantic |
Not vulnerable
(2022.20220321.62855-6)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
jammy |
Released
(2021.20210626.59705-1ubuntu0.2)
|
|
Patches: upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/b266ef076c96b382cd23a4c93204e247bb98626a upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/e7df9234420973a2f69aac1b10cbb5f00b0cda4d upstream: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/commit/da4492c789e25f05255d54e45447d3da79098967 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32668
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://ubuntu.com/security/notices/USN-6695-1
- NVD
- Launchpad
- Debian