Arbitrary Requests through User-Controlled Values in http.request Header
CVE-2024-45597

5.3MEDIUM

Key Information:

Vendor: Plutolang
Status: Pluto
Vendor: CVE Published:; 10 September 2024

Summary

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.

Affected Version(s)

Pluto >= 0.9.0, <= 0.9.4

References

https://github.com/PlutoLang/Pluto/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/PlutoLang/Pluto/pull/945

x_refsource_MISC

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2024

Collectors

NVD DatabaseMitre Database