BDU:2022-04620

Уязвимость реализации функции singlevar() интерпретатора скриптов Lua, позволяющая нарушителю выполнить произвольный код

Severity: CRITICAL (9.1) Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

CVE-2022-28805

Published: 2022-04-08
Modified: 2024-11-21

CVE-2022-28805

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.

Severity: CRITICAL (9.1) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

References:

Published: 2022-07-01
Modified: 2024-11-21

CVE-2022-33099

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References:

Version: 2.1.0

Package lua5.4 update in sisyphus_riscv64 on 2024-03-21

ALT-PU-2024-4319-1

Closed vulnerabilities

BDU:2022-04620

CVE-2022-28805

CVE-2022-33099