Vulnerability Details CVE-2023-32700
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 47.8%
CVSS Severity
CVSS v3 Score 7.8
References
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://tug.org/~mseven/luatex.html
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://tug.org/pipermail/tex-live/2023-May/049188.html
- https://tug.org/~mseven/luatex.html
Products affected by CVE-2023-32700
-
cpe:2.3:a:luatex_project:luatex:1.06.1
-
cpe:2.3:a:luatex_project:luatex:1.06.3
-
cpe:2.3:a:luatex_project:luatex:1.07.0
-
cpe:2.3:a:luatex_project:luatex:1.08.0
-
cpe:2.3:a:luatex_project:luatex:1.09.0
-
cpe:2.3:a:luatex_project:luatex:1.09.2
-
cpe:2.3:a:luatex_project:luatex:1.10.0
-
cpe:2.3:a:luatex_project:luatex:1.11.1
-
cpe:2.3:a:luatex_project:luatex:1.12.0
-
cpe:2.3:a:luatex_project:luatex:1.13.0
-
cpe:2.3:a:luatex_project:luatex:1.13.1
-
cpe:2.3:a:luatex_project:luatex:1.13.2
-
cpe:2.3:a:luatex_project:luatex:1.14.1
-
cpe:2.3:a:luatex_project:luatex:1.15.0
-
cpe:2.3:a:luatex_project:luatex:1.16.0
-
cpe:2.3:a:miktex:miktex:*
-
cpe:2.3:a:tug:tex_live:2018-09-21