CVE-2023-32700

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
CISA-ADPADP
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 50%
VendorProductVersion
luatex_projectluatex
1.04 ≤
𝑥
< 1.16.2
miktexmiktex
2.9.6300 ≤
𝑥
< 23.5
tugtex_live
2017 ≤
𝑥
< 2023
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
texlive-bin
bullseye
2020.20200327.54578-7+deb11u1
fixed
bullseye (security)
2020.20200327.54578-7+deb11u2
fixed
bookworm
2022.20220321.62855-5.1+deb12u1
fixed
sid
2024.20240313.70630+ds-5
fixed
trixie
2024.20240313.70630+ds-5
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
texlive-bin
lunar
Fixed 2022.20220321.62855-5ubuntu0.1
released
kinetic
Fixed 2022.20220321.62855-4ubuntu0.1
released
jammy
Fixed 2021.20210626.59705-1ubuntu0.1
released
focal
Fixed 2019.20190605.51237-3ubuntu0.1
released
bionic
Fixed 2017.20170613.44572-8ubuntu0.2
released
xenial
not-affected
trusty
ignored
Common Weakness Enumeration
References
https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html
https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
https://tug.org/pipermail/tex-live/2023-May/049188.html
https://tug.org/~mseven/luatex.html