CVE-2019-19391 — Type Confusion in Project Moonjit

CWE-843 — Type Confusion6 documents5 sources

Severity

9.1CRITICALNVD

EPSS

0.2%

top 58.60%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Luajit Moonjit Project Moonjit Debian Luajit +4 more

Timeline

PublishedNov 29

Latest updateMay 24

Description

In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thu…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:NExploitability: 3.9 | Impact: 5.2

Affected Packages9 packages

▶debiandebian/luajit< luajit 2.1.0~beta3+git20210112+dfsg-2 (bookworm)

▶Debianluajit/luajit< 2.1.0~beta3+dfsg-5.3+deb11u1+3

▶Ubuntuluajit/luajit< 2.1.0+git20231223.c525bcb+dfsg-1

▶NVDluajit/luajit2.0.5

▶NVDmoonjit_project/moonjit< 2.1.2

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-756f-h55r-pvqq: In LuaJIT through 2↗2022-05-24

▶

OSV

CVE-2019-19391: ** DISPUTED ** In LuaJIT through 2↗2019-11-29

▶

OSV

CVE-2019-19391: In LuaJIT through 2↗2019-11-29

▶

📋Vendor Advisories

Microsoft

In LuaJIT through 2.0.5 as used in Moonjit before 2.1.2 and other products debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations because certain cases involv↗2019-11-12

▶

Debian

CVE-2019-19391: luajit - In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, deb...↗2019

▶