BIT-APISIX-2022-25757 Apache APISIX: the body_schema check in request-validation plugin can be bypassed

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the bodyschema validation in the request-validation plugin. For example,...

CentOS 9 : lua-5.4.4-3.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the lua-5.4.4-3.el9 build changelog. - singlevar in lparser.c in Lua from including 5.4.0 up to excluding 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-re...

CentOS 9 : lua-5.4.2-7.el9

The remote CentOS Linux 9 host has packages installed that are affected by a vulnerability as referenced in the lua-5.4.2-7.el9 build changelog. - An issue in the component luaGrunerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. CVE-2022-33099 Note that...

Amazon Linux 2023 : lua, lua-devel, lua-libs (ALAS2023-2024-533)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2024-533 advisory. 2024-05-09: CVE-2022-33099 was added to this advisory. In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 An issue in the...

Medium: lua

Issue Overview: In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 An issue in the component luaGrunerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. CVE-2022-33099 Affected Packages: lua...

Medium: lua

Issue Overview: In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 An issue in the component luaGrunerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. CVE-2022-33099 Affected Packages: lua...

PT-2024-40581 · Git +1 · Tarantool

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided description. Description: The issue is related to a crash, specifically a Segv on an unknown address, which occurs during a lua pcall. The crash state includes lj BC RET1 and is...

Debian dsa-5610 : redis - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5610 advisory. - Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and...

GL.iNet Unauthenticated Remote Command Execution via the logread module.

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the glsystemlog and glcrashlog interface in the logread module. This exploit requires post-authentication using the Admin-Token...

GL.iNet Unauthenticated Remote Command Execution Exploit

A command injection vulnerability exists in multiple GL.iNet network products, allowing an attacker to inject and execute arbitrary shell commands via JSON parameters at the glsystemlog and glcrashlog interface in the logread module. This Metasploit exploit requires post-authentication using the...

[SECURITY] Fedora 38 Update: redis-7.0.15-1.fc38

Redis is an advanced key-value store. It is often referred to as a data structure server since keys can contain strings, hashes, lists, sets and sorted sets. You can run atomic operations on these types, like appending to a string; incrementing the value in a hash; pushing to a list; computing se...

Fedora: Security Advisory for redis (FEDORA-2024-694899d442)

The remote host is missing an update for the SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

The vulnerabilities of microprogrammed software in routers such as GL-A1300, GL-AX1800, GL-AXT1800, GL-MT3000, GL-MT2500, GL-MT6000, GL-MT1300, GL-MT300N-V2, GL-AR750S, GL-AR750, GL-AR300M, and GL-B1300 allow attackers to bypass authentication procedures and gain unauthorized access to protected information.

The vulnerability of microprogrammed software in routers such as GL-A1300, GL-AX1800, GL-AXT1800, GL-MT3000, GL-MT2500, GL-MT6000, GL-MT1300, GL-MT300N-V2, GL-AR750S, GL-AR750, GL-AR300M, and GL-B1300 is related to deficiencies in authentication procedures when processing lua scripts. Exploiting...

EulerOS Virtualization 2.11.0 : lua (EulerOS-SA-2023-2763)

According to the versions of the lua package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 Note that Tenab...

EulerOS 2.0 SP11 : lua (EulerOS-SA-2023-2697)

According to the versions of the lua package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 Note that Tenable Network...

EulerOS 2.0 SP11 : lua (EulerOS-SA-2023-2655)

According to the versions of the lua package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 Note that Tenable Network...

EulerOS Virtualization 2.11.1 : lua (EulerOS-SA-2023-2732)

According to the versions of the lua package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. CVE-2021-45985 Note that Tenab...

CVE-2023-50919

An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR30...

CVE-2023-50919

An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR30...

Authentication flaw

An issue was discovered on GL.iNet devices before version 4.5.0. There is an NGINX authentication bypass via Lua string pattern matching. This affects A1300 4.4.6, AX1800 4.4.6, AXT1800 4.4.6, MT3000 4.4.6, MT2500 4.4.6, MT6000 4.5.0, MT1300 4.3.7, MT300N-V2 4.3.7, AR750S 4.3.7, AR750 4.3.7, AR30...