Critical Photon OS Security Update - PHSA-2022-0168

Updates of 'linux-aws', 'linux', 'lua', 'curl', 'linux-secure', 'bindutils', 'vim', 'linux-rt', 'linux-esx' packages of Photon OS have been released...

Critical Photon OS Security Update - PHSA-2022-4.0-0168

Updates of 'vim', 'linux-rt', 'lua', 'linux', 'curl', 'linux-secure', 'linux-esx', 'bindutils', 'linux-aws' packages of Photon OS have been released...

Redis Lua Remote Code Execution (CVE-2022-0543)

A remote code execution vulnerability exists in Redis Lua. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...

CVE-2022-28223

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin...

CVE-2022-28223

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin...

CVE-2022-28223

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin...

Code injection

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin...

CVE-2022-28223

Tekon KIO devices through 2022-03-30 allow an authenticated admin user to escalate privileges to root by uploading a malicious Lua plugin...

CVE-2022-28223

Tekon KIO devices (up to 2022-03-30) are affected. An authenticated admin can escalate to root by uploading a malicious Lua plugin , enabling privilege escalation with high impact. The documents do not specify exact affected versions/models, root-cause details, or a published fix. No exploitation...

Tekon KIO 代码问题漏洞

Tekon KIO is a controller from the Russian company Tekon. A security vulnerability exists in the Tekon KIO device that originates from allowing an authenticated administrator user to elevate privileges to root by uploading a malicious Lua plugin...

CVE-2022-25757

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the bodyschema validation in the request-validation plugin. For example,...

Input validation

In Apache APISIX before 2.13.0, when decoding JSON with duplicate keys, lua-cjson will choose the last occurred value as the result. By passing a JSON with a duplicate key, the attacker can bypass the bodyschema validation in the request-validation plugin. For example,...

CVE-2022-25757

CVE-2022-25757 (Apache APISIX) affects APISIX up to version 2.12.x before 2.13.0. When decoding JSON with duplicate keys, lua-cjson returns the last value, allowing an attacker to bypass the body_schema validation in the request-validation plugin (e.g., {"string_payload":"bad","string_payload":"g...

Muhstik Botnet Targeting Redis Servers Using Recently Disclosed Vulnerability

Muhstik, a botnet infamous for propagating via web application exploits, has been observed targeting Redis servers using a recently disclosed vulnerability in the database system. The vulnerability relates to CVE-2022-0543, a Lua sandbox escape flaw in the open-source, in-memory, key-value data...

Lua Resource Management Error Vulnerability

Lua is a lightweight, extended open source scripting language from the Lua LUA team. Lua interpreter versions 5.4.0 through 5.4.3 are vulnerable to a resource management error, which can be exploited by attackers to execute Sandbox Escape via a specially crafted script file...

Debian-specific Redis Server Lua Sandbox Escape Vulnerability

Redis is prone to a Debian-specific Lua sandbox escape, which could result in remote code execution...

CLSA-2022-1648136411 Fix of CVE: CVE-2022-22721, CVE-2022-22719, CVE-2022-23943, CVE-2022-22720

CVE-2022-22719: modlua: error out if luareadbody or luawritebody fail - CVE-2022-22720: simpler connection close logic if discarding the request body fails - CVE-2022-22721: make sure and check that LimitXMLRequestBody fits in system memory - CVE-2022-23943: modsed: use sizet to allow for larger...

CLSA-2022-1648136371 Fix of CVE: CVE-2022-22721, CVE-2022-23943, CVE-2022-22719, CVE-2022-22720

CVE-2022-22719: modlua: error out if luareadbody or luawritebody fail - CVE-2022-22720: simpler connection close logic if discarding the request body fails - CVE-2022-22721: make sure and check that LimitXMLRequestBody fits in system memory - CVE-2022-23943: modsed: use sizet to allow for larger...

CLSA-2022-1648136327 Fix CVE(s): CVE-2022-23943, CVE-2022-22720, CVE-2022-22721, CVE-2022-22719

SECURITY UPDATE: modlua Use of uninitialized value of in r:parsebody - debian/patches/CVE-2022-22719.patch: refactor luareadbody in order to catch all possible errors - CVE-2022-22719 SECURITY UPDATE: HTTP request smuggling vulnerability in Apache HTTP Server 2.4.52 and earlier -...

VulnCheck KEV: CVE-2022-0543

Redis is prone to a Debian-specific Lua sandbox escape, which could result in remote code execution...