Home > Vulnerability Database > CVE-2023-32700

Mend.io Vulnerability Database

CVE-2023-32700

Date: May 19, 2023

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Language: C

Severity Score

7.8

Related Resources (11)

Url: https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-32700

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/

Url: https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/

Url: https://tug.org/pipermail/tex-live/2023-May/049188.html

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/

Url: https://tug.org/~mseven/luatex.html

Url: https://access.redhat.com/security/cve/CVE-2023-32700

Url: https://www.mend.io/vulnerability-database/CVE-2023-32700

Severity Score

7.8

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

CVSS v3.1

Base Score:	7.8
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-32700

Date: May 19, 2023

Language: C

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?