CVE-2023-32668

EUVD-2023-36911
LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
luatex_projectluatex
0.27.0 ≤
𝑥
< 1.17.0
miktexmiktex
2.9.0 ≤
𝑥
< 23.5
tugtex_live
2009 ≤
𝑥
< 2023
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
texlive-bin
bookworm
2022.20220321.62855-5.1+deb12u1
fixed
bullseye
vulnerable
bullseye (security)
2020.20200327.54578-7+deb11u2
fixed
buster
no-dsa
sid
2024.20240313.70630+ds-5
fixed
trixie
2024.20240313.70630+ds-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
texlive-bin
bionic
needed
focal
Fixed 2019.20190605.51237-3ubuntu0.2
released
jammy
Fixed 2021.20210626.59705-1ubuntu0.2
released
kinetic
ignored
lunar
ignored
mantic
not-affected
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
needed
References
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html#luasocket
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://lists.debian.org/debian-lts-announce/2024/10/msg00032.html
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html#luasocket