CVE-2023-32668

2023-05-1106:15:10

Debian Security Bug Tracker

security-tracker.debian.org

luatex

arbitrary network requests

socket library

tex live

miktex

unix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

27.0%

JSON

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

OSVersionArchitecturePackageVersionFilename
Debian12alltexlive-bin< 2022.20220321.62855-5.1+deb12u1texlive-bin_2022.20220321.62855-5.1+deb12u1_all.deb
Debian11alltexlive-bin<= 2020.20200327.54578-7+deb11u1texlive-bin_2020.20200327.54578-7+deb11u1_all.deb
Debian999alltexlive-bin< 2022.20220321.62855-6texlive-bin_2022.20220321.62855-6_all.deb
Debian13alltexlive-bin< 2022.20220321.62855-6texlive-bin_2022.20220321.62855-6_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	texlive-bin	< 2022.20220321.62855-5.1+deb12u1	texlive-bin_2022.20220321.62855-5.1+deb12u1_all.deb
Debian	11	all	texlive-bin	<= 2020.20200327.54578-7+deb11u1	texlive-bin_2020.20200327.54578-7+deb11u1_all.deb
Debian	999	all	texlive-bin	< 2022.20220321.62855-6	texlive-bin_2022.20220321.62855-6_all.deb
Debian	13	all	texlive-bin	< 2022.20220321.62855-6	texlive-bin_2022.20220321.62855-6_all.deb