In LuaJIT through 2.0.5 as used in Moonjit before 2.1.2 and other products debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However not all users of later LuaJIT derivatives share this perspective

🗓️ 30 Jun 2024 14:00:00Reported by MicrosoftType

LuaJIT debug.getinfo type confusion enables arbitrary memory read or write due to mishandled stack levels and options.

Reporter	Title	Published	Views	Family All 32
CBLMariner	CVE-2019-19391 affecting package sysbench for versions less than 1.0.20-3	21 Jun 202409:32	–	cbl_mariner
Circl	CVE-2019-19391	5 Mar 202413:42	–	circl
CNVD	LuaJIT Type Obfuscation Vulnerability	2 Dec 201900:00	–	cnvd
CVE	CVE-2019-19391	29 Nov 201915:18	–	cve
Cvelist	CVE-2019-19391	29 Nov 201915:18	–	cvelist
Debian	[SECURITY] [DLA 4283-1] luajit security update	25 Aug 202521:57	–	debian
Debian CVE	CVE-2019-19391	29 Nov 201915:18	–	debiancve
Tenable Nessus	Debian dla-4283 : libluajit-5.1-2 - security update	25 Aug 202500:00	–	nessus
Tenable Nessus	Linux Distros Unpatched Vulnerability : CVE-2019-19391	4 Mar 202500:00	–	nessus
F5 Networks	K000150505: LuaJIT vulnerabilities CVE-2019-19391, CVE-2020-15890, CVE-2020-24372	24 Mar 202500:13	–	f5