CVE-2023-32700
published 2023-05-20CVE-2023-32700: LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because…
PriorityP339high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
0.80%
52.1th percentile
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | texlive-bin | < texlive-bin 2022.20220321.62855-5.1 (bookworm) | texlive-bin 2022.20220321.62855-5.1 (bookworm) |
| luatex_project | luatex | >= 1.04 < 1.16.2 | 1.16.2 |
| miktex | miktex | >= 2.9.6300 < 23.5 | 23.5 |
| tug | tex_live | >= 2017 < 2023 | 2023 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
TeX Live vulnerability
vendor_ubuntu·2023-05-30
CVE-2023-32700 TeX Live vulnerability
Title: TeX Live vulnerability
Summary: LuaTeX (TeX Live) could be made to run programs as your login if it
compiled a specially crafted TeX file.
Max Chernoff discovered that LuaTeX (TeX Live) did not properly disable
shell escape. An attacker could possibly use this issue to execute
arbitrary shell commands.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
texlive: arbitrary code execution allows document complied with older version
vendor_redhat·2023-05-20·CVSS 7.8
CVE-2023-32700 [HIGH] CWE-77 texlive: arbitrary code execution allows document complied with older version
texlive: arbitrary code execution allows document complied with older version
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
An arbitrary code execution vulnerability was found in LuaTeX (TeX Live) that allows any document compiled with older versions of LuaTeX to execute arbitrary shell commands, even with shell escape disabled.
Package: texlive (Red Hat Enterprise Linux 7) - Affected
Debian
CVE-2023-32700: texlive-bin - LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling...
vendor_debian·2023·CVSS 7.8
CVE-2023-32700 [HIGH] CVE-2023-32700: texlive-bin - LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling...
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Scope: local
bookworm: resolved (fixed in 2022.20220321.62855-5.1)
bullseye: resolved (fixed in 2020.20200327.54578-7+deb11u1)
forky: resolved (fixed in 2022.20220321.62855-5.1)
sid: resolved (fixed in 2022.20220321.62855-5.1)
trixie: resolved (fixed in 2022.20220321.62855-5.1)
OSV
CVE-2023-32700: LuaTeX before 1
osv·2023-05-20·CVSS 7.8
CVE-2023-32700 [HIGH] CVE-2023-32700: LuaTeX before 1
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
GHSA
GHSA-7xcp-5fvh-7fwm: LuaTeX before 1
ghsa_unreviewed·2023-05-20
CVE-2023-32700 [HIGH] CWE-77 GHSA-7xcp-5fvh-7fwm: LuaTeX before 1
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/https://tug.org/pipermail/tex-live/2023-May/049188.htmlhttps://tug.org/~mseven/luatex.htmlhttps://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/https://tug.org/pipermail/tex-live/2023-May/049188.htmlhttps://tug.org/~mseven/luatex.html
2023-05-20
Published