Heap-based Buffer Over-read in Lua Compiler
CVE-2022-28805

9.1CRITICAL

Key Information:

Vendor: Lua
Status: Lua
Vendor: CVE Published:; 8 April 2022

What is CVE-2022-28805?

A vulnerability exists in the Lua compiler versions 5.4.0 to 5.4.4 due to a missing luaK_exp2anyregup call in the lparser.c file. This omission can lead to a heap-based buffer over-read, which may pose significant risks when untrusted Lua code is compiled. Systems utilizing these versions without proper mitigation could be exposed to potentially unsafe data handling, thus emphasizing the importance of upgrading to patched versions and adhering to secure coding practices.

References

https://lua-users.org/lists/lua-l/2022-02/msg00001.html

https://lua-users.org/lists/lua-l/2022-02/msg00070.html

https://lua-users.org/lists/lua-l/2022-04/msg00009.html

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2022
Vulnerability Reserved
Apr 8, 2022