CVE-2023-32700 : LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Published 2023-05-20 18:15:09

Updated 2025-01-31 16:15:30

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-32700

TUG » Tex Live
Versions from including (>=) 2017 and before (<) 2023
cpe:2.3:a:tug:tex_live:*:*:*:*:*:*:*:*
Matching versions
Luatex Project » Luatex
Versions from including (>=) 1.04 and before (<) 1.16.2
cpe:2.3:a:luatex_project:luatex:*:*:*:*:*:*:*:*
Matching versions
Miktex » Miktex
Versions from including (>=) 2.9.6300 and before (<) 23.5
cpe:2.3:a:miktex:miktex:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-32700

EPSS FAQ

0.99%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 75 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-32700

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H	2.8	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-01-31
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.8	HIGH	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H	1.8	5.9	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-32700

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

References for CVE-2023-32700

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/

[SECURITY] Fedora 38 Update: texlive-base-20220321-72.fc38 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/

[SECURITY] Fedora 37 Update: texlive-base-20210325-54.fc37 - package-announce - Fedora mailing-lists
https://tug.org/~mseven/luatex.html

LuaTeX Security Vulnerabilities
Patch;Vendor Advisory
https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984

Release Rebuild TL2023 for luatex · TeX-Live/texlive-source · GitHub
Release Notes
https://tug.org/pipermail/tex-live/2023-May/049188.html

luatex-1.17.0 update - tex-live mailing list - TeX Users Group
Release Notes

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/

[SECURITY] Fedora 38 Update: texlive-base-20220321-72.fc38 - package-announce - Fedora Mailing-Lists
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/

[SECURITY] Fedora 37 Update: texlive-base-20210325-54.fc37 - package-announce - Fedora Mailing-Lists
https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0

1.17.0 · Tags · TeXLive / luatex · GitLab
Release Notes

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-32700

Products affected by CVE-2023-32700

Exploit prediction scoring system (EPSS) score for CVE-2023-32700

CVSS scores for CVE-2023-32700

CWE ids for CVE-2023-32700

References for CVE-2023-32700