Arbitrary Requests through User-Controlled Values in http.request Header

CVE-2024-45597

5.3MEDIUM

Key Information

Vendor: Plutolang
Status: Pluto
Vendor: CVE Published:; 10 September 2024

Summary

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

Affected Version(s)

Pluto = >= 0.9.0, <= 0.9.4

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: null to: 5.3 - (MEDIUM)
Sep 11, 2024
Vulnerability published.
Sep 10, 2024

Collectors

NVD DatabaseMitre Database