Skip to main content

Lua CVE-2020-15945

MEDIUM
2020-07-24 cve@mitre.org
5.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Jul 24, 2020 - 21:15 nvd
MEDIUM 5.5

DescriptionNVD

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function.

AnalysisAI

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available.

Technical ContextAI

Lua 5.4.0 (fixed in 5.4.1) has a segmentation fault in changedline in ldebug.c (e.g., when called by luaG_traceexec) because it incorrectly expects that an oldpc value is always updated upon a return of the flow of control to a function. Affected products include: Lua.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Lua

View all
CVE-2020-15889 CRITICAL POC
9.8 Jul 21

Lua 5.4.0 has a getobjname heap-based buffer over-read because youngcollection in lgc.c uses markold for an insufficient

CVE-2022-28805 CRITICAL POC
9.1 Apr 08

singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, lea

CVE-2020-15888 HIGH POC
8.8 Jul 21

Lua through 5.4.0 mishandles the interaction between stack resizes and garbage collection, leading to a heap-based buffe

CVE-2020-24342 HIGH POC
7.8 Aug 13

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_ca

CVE-2022-33099 HIGH POC
7.5 Jul 01

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error o

CVE-2020-24369 HIGH POC
7.5 Aug 17

ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL p

CVE-2019-6706 HIGH POC
7.5 Jan 23

Lua 5.3.5 has a use-after-free in lua_upvaluejoin in lapi.c. Rated high severity (CVSS 7.5), this vulnerability is remot

CVE-2014-5461 MEDIUM POC
5.0 Sep 04

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attacker

CVE-2021-43519 MEDIUM POC
5.5 Nov 09

Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via

CVE-2020-24371 MEDIUM POC
5.3 Aug 17

lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation

CVE-2020-24370 MEDIUM POC
5.3 Aug 17

ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by get

Share

CVE-2020-15945 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy