CVE-2023-32668

2023-05-1106:15:10

[email protected]

web.nvd.nist.gov

luatex

arbitrary network requests

socket library

tex live

miktex

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

5.8

Confidence

High

EPSS

0.001

Percentile

27.0%

JSON

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Affected configurations

Nvd

Node

luatex_projectluatexRange0.27.0–1.17.0

miktexmiktexRange2.9.0–23.5

tugtex_liveRange2009–2023

VendorProductVersionCPE
luatex_projectluatex*cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
miktexmiktex*cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*
tugtex_live*cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
luatex_project	luatex	*	cpe:2.3:a:luatex_project:luatex::::::::
miktex	miktex	*	cpe:2.3:a:miktex:miktex::::::::
tug	tex_live	*	cpe:2.3:a:tug:tex_live::::::::