CVE-2023-32668
published 2023-05-11CVE-2023-32668: LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket…
PriorityP427medium5.5CVSS 3.1
AVLACLPRNUIRSUCHINAN
EPSS
0.37%
28.8th percentile
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | texlive-bin | < texlive-bin 2022.20220321.62855-5.1+deb12u1 (bookworm) | texlive-bin 2022.20220321.62855-5.1+deb12u1 (bookworm) |
| luatex_project | luatex | >= 0.27.0 < 1.17.0 | 1.17.0 |
| miktex | miktex | >= 2.9.0 < 23.5 | 23.5 |
| tug | tex_live | >= 2009 < 2023 | 2023 |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
osv9.8CRITICAL
vendor_ubuntu9.8CRITICAL
vendor_debian5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
texlive-bin vulnerabilities
osv·2026-01-29·CVSS 7.8
CVE-2022-24106 [HIGH] texlive-bin vulnerabilities
texlive-bin vulnerabilities
Shin Ando discovered that the Xpdf toolkit embedded in TeX Live incorrectly
handled memory when decoding certain data streams. An attacker could
possibly use this issue to cause TeX Live to crash, resulting in a denial
of service, or execute arbitrary code. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24106, CVE-2022-24107)
It was discovered that TeX Live allowed documents to make arbitrary network
requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
(CVE-2023-32668)
It was discovered that TeX Live in
OSV
texlive-bin vulnerabilities
osv·2024-03-14·CVSS 9.8
CVE-2019-18604 [CRITICAL] texlive-bin vulnerabilities
texlive-bin vulnerabilities
It was discovered that TeX Live incorrectly handled certain memory
operations in the embedded axodraw2 tool. An attacker could possibly use
this issue to cause TeX Live to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604)
It was discovered that TeX Live allowed documents to make arbitrary
network requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-32668)
It was discovered that TeX Live incorrectly handled certain TrueType fonts.
If a user or automated system were tric
GHSA
GHSA-hm67-jh95-48xh: LuaTeX before 1
ghsa_unreviewed·2023-05-11
CVE-2023-32668 [MEDIUM] GHSA-hm67-jh95-48xh: LuaTeX before 1
LuaTeX before 1.17.0 enables the socket library by default.
OSV
CVE-2023-32668: LuaTeX before 1
osv·2023-05-11·CVSS 5.5
CVE-2023-32668 [MEDIUM] CVE-2023-32668: LuaTeX before 1
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Ubuntu
TeX Live vulnerabilities
vendor_ubuntu·2026-01-29·CVSS 7.8
CVE-2022-24107 [HIGH] TeX Live vulnerabilities
Title: TeX Live vulnerabilities
Summary: Several security issues were fixed in TeX Live.
Shin Ando discovered that the Xpdf toolkit embedded in TeX Live incorrectly
handled memory when decoding certain data streams. An attacker could
possibly use this issue to cause TeX Live to crash, resulting in a denial
of service, or execute arbitrary code. This issue only affected Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2022-24106, CVE-2022-24107)
It was discovered that TeX Live allowed documents to make arbitrary network
requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 16.04 LTS and Ubuntu 1
Ubuntu
TeX Live vulnerabilities
vendor_ubuntu·2024-03-14·CVSS 9.8
CVE-2024-25262 [CRITICAL] TeX Live vulnerabilities
Title: TeX Live vulnerabilities
Summary: Several security issues were fixed in TeX Live.
It was discovered that TeX Live incorrectly handled certain memory
operations in the embedded axodraw2 tool. An attacker could possibly use
this issue to cause TeX Live to crash, resulting in a denial of service.
This issue only affected Ubuntu 20.04 LTS. (CVE-2019-18604)
It was discovered that TeX Live allowed documents to make arbitrary
network requests. If a user or automated system were tricked into opening a
specially crafted document, a remote attacker could possibly use this issue
to exfiltrate sensitive information, or perform other network-related
attacks. This issue only affected Ubuntu 20.04 LTS, and Ubuntu 22.04 LTS.
(CVE-2023-32668)
It was discovered that TeX Live incorrectly handled c
Debian
CVE-2023-32668: texlive-bin - LuaTeX before 1.17.0 allows a document (compiled with the default settings) to m...
vendor_debian·2023·CVSS 5.5
CVE-2023-32668 [MEDIUM] CVE-2023-32668: texlive-bin - LuaTeX before 1.17.0 allows a document (compiled with the default settings) to m...
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Scope: local
bookworm: resolved (fixed in 2022.20220321.62855-5.1+deb12u1)
bullseye: resolved (fixed in 2020.20200327.54578-7+deb11u2)
forky: resolved (fixed in 2022.20220321.62855-6)
sid: resolved (fixed in 2022.20220321.62855-6)
trixie: resolved (fixed in 2022.20220321.62855-6)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0https://tug.org/pipermail/tex-live/2023-May/049188.htmlhttps://tug.org/~mseven/luatex.html#luasockethttps://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0https://lists.debian.org/debian-lts-announce/2024/10/msg00032.htmlhttps://tug.org/pipermail/tex-live/2023-May/049188.htmlhttps://tug.org/~mseven/luatex.html#luasocket
2023-05-11
Published