CVE-2023-32700 — Command Injection in Project Luatex

CWE-77 — Command Injection6 documents6 sources

Severity

7.8HIGHNVD

EPSS

0.2%

top 51.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Luatex Project Luatex Miktex TUG TEX Live +1 more

Timeline

PublishedMay 20

Latest updateMay 30

Description

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶NVDluatex_project/luatex1.04 — 1.16.2

▶NVDtug/tex_live2017 — 2023

▶NVDmiktex/miktex2.9.6300 — 23.5

▶debiandebian/texlive-bin< texlive-bin 2022.20220321.62855-5.1 (bookworm)

Patches

Patch: tug.org ↗Patch: tug.org ↗

🔴Vulnerability Details

OSV

CVE-2023-32700: LuaTeX before 1↗2023-05-20

▶

GHSA

GHSA-7xcp-5fvh-7fwm: LuaTeX before 1↗2023-05-20

▶

📋Vendor Advisories

Ubuntu

TeX Live vulnerability↗2023-05-30

▶

Red Hat

texlive: arbitrary code execution allows document complied with older version↗2023-05-20

▶

Debian

CVE-2023-32700: texlive-bin - LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling...↗2023

▶