Fluid Attacks Database

Description

LuaTeX before 1.17.0 allows a document (compiled with the default settings) to make arbitrary network requests. This occurs because full access to the socket library is permitted by default, as stated in the documentation. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	texlive-bin	>=0 <2022.20220321.62855-6	2022.20220321.62855-6
debian 11	texlive-bin	=2020.20200327.54578-7 \|\| =2020.20200327.54578-7+deb11u1 \|\| >=0 <2020.20200327.54578-7+deb11u2	2020.20200327.54578-7+deb11u2
debian 12	texlive-bin	=2022.20220321.62855-5.1 \|\| >=0 <2022.20220321.62855-5.1+deb12u1	2022.20220321.62855-5.1+deb12u1
debian 14	texlive-bin	>=0 <2022.20220321.62855-6	2022.20220321.62855-6

Aliases

1. CVE-2023-326682. NVD-2023-326683. OSV-DEBIAN-2023-326684. OSV-2023-326685. SECURITY-TRACKER-CVE-2023-32668

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.