[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248268

 
 

909

 
 

195051

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CVE
view JSON

CVE-2019-6706Date: (C)2019-06-07   (M)2023-12-22


Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. For example, a crash outcome might be achieved by an attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 7.5CVSS Score : 5.0
Exploit Score: 3.9Exploit Score: 10.0
Impact Score: 3.6Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: NONEAuthentication: NONE
User Interaction: NONEConfidentiality: NONE
Scope: UNCHANGEDIntegrity: NONE
Confidentiality: NONEAvailability: PARTIAL
Integrity: NONE 
Availability: HIGH 
  
Reference:
https://lists.debian.org/debian-lts-announce/2023/06/msg00031.html
http://lua-users.org/lists/lua-l/2019-01/msg00039.html
http://packetstormsecurity.com/files/151335/Lua-5.3.5-Use-After-Free.html
https://access.redhat.com/security/cve/cve-2019-6706
https://github.com/Lua-Project/cve-analysis/blob/a43c9ccd00274b31fa2f24c6c8f20ce36655682d/CVE-2019-6706.pdf
https://github.com/lua/lua/commit/89aee84cbc9224f638f3b7951b306d2ee8ecb71e

CWE    1
CWE-416
OVAL    15
oval:org.secpod.oval:def:66501
oval:org.secpod.oval:def:57784
oval:org.secpod.oval:def:503388
oval:org.secpod.oval:def:57799
...

© SecPod Technologies