Fluid Attacks Database

Description

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	texlive-bin	>=0 <2022.20220321.62855-5.1	2022.20220321.62855-5.1
debian 11	texlive-bin	=2020.20200327.54578-7 \|\| >=0 <2020.20200327.54578-7+deb11u1	2020.20200327.54578-7+deb11u1
debian 12	texlive-bin	>=0 <2022.20220321.62855-5.1	2022.20220321.62855-5.1
debian 13	texlive-bin	>=0 <2022.20220321.62855-5.1	2022.20220321.62855-5.1
rpm rhel7	texlive	-	-
rpm rhel8	texlive	<7:20180414-29.el8_8	7:20180414-29.el8_8
rpm rhel8.6	texlive	<7:20180414-26.el8_6	7:20180414-26.el8_6
rpm rhel9	texlive	<9:20200406-26.el9_2	9:20200406-26.el9_2
rpm rhel9.0	texlive	<9:20200406-26.el9_0	9:20200406-26.el9_0

Aliases

1. CVE-2023-327002. NVD-2023-327003. OSV-DEBIAN-2023-327004. OSV-2023-327005. SECURITY-TRACKER-CVE-2023-32700

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.