Ubuntu.comUB:CVE-2021-43519CVE-2021-43519
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
41.0%
Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows
attackers to perform a Denial of Service via a crafted script file.
Bugs
Notes
| Author | Note |
|---|---|
| eslerm | lua deprecated from grub on 2009-09-26 debian/grub-extras/lua/ not compiled-see debian/rules and GRUB_CONTRIB contrary to description, vulnerability appears to be introduced after 5.1 |
| leosilva | for ceph , that ships with lua, lua affected is 5.4 up, for focal it is using 5.3 , so not-affected. Also, code not found. |
| mdeslaur | SUSE bug says “this bug is only present in Lua 5.4.2 and 5.4.3” and the PoC crashing earlier versions may be unrelated to this CVE. Introduced in 5.4.2 by: https://github.com/lua/lua/commit/287b302acb8d925178e9edb800f0a8d18c7d35f6 Fixed in 5.4.4 by: https://github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868 |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | bam | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | bam | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | bam | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | bam | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | bam | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | bam | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | blobby | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | blobby | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | blobby | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | blobby | < any | UNKNOWN |
References
lua-users.org/lists/lua-l/2021-10/msg00123.html
lua-users.org/lists/lua-l/2021-11/msg00015.html
github.com/lua/lua/commit/74d99057a5146755e737c479850f87fd0e3b6868
launchpad.net/bugs/cve/CVE-2021-43519
nvd.nist.gov/vuln/detail/CVE-2021-43519
security-tracker.debian.org/tracker/CVE-2021-43519
www.cve.org/CVERecord?id=CVE-2021-43519
Related
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
5.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
6.1 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
41.0%