CVE-2023-32668

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
5.5 MEDIUM
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 18%
VendorProductVersion
luatex_projectluatex
0.27.0 ≤
𝑥
< 1.17.0
miktexmiktex
2.9.0 ≤
𝑥
< 23.5
tugtex_live
2009 ≤
𝑥
< 2023
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
texlive-bin
bullseye
vulnerable
buster
no-dsa
bullseye (security)
2020.20200327.54578-7+deb11u2
fixed
bookworm
2022.20220321.62855-5.1+deb12u1
fixed
sid
2024.20240313.70630+ds-5
fixed
trixie
2024.20240313.70630+ds-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
texlive-bin
oracular
not-affected
noble
not-affected
mantic
not-affected
lunar
ignored
kinetic
ignored
jammy
Fixed 2021.20210626.59705-1ubuntu0.2
released
focal
Fixed 2019.20190605.51237-3ubuntu0.2
released
bionic
needed
xenial
needed
trusty
ignored
References
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html#luasocket
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/blob/b266ef076c96b382cd23a4c93204e247bb98626a/source/texk/web2c/luatexdir/ChangeLog#L1-L3
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html#luasocket