CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45985
https://notcve.org/view.php?id=CVE-2021-45985
10 Apr 2023 — In Lua 5.4.3, an erroneous finalizer called during a tail call leads to a heap-based buffer over-read. • http://lua-users.org/lists/lua-l/2021-12/msg00019.html • CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 3CVE-2022-33099 – lua: heap buffer overflow in luaG_errormsg() in ldebug.c due to uncontrolled recursion in error handling
https://notcve.org/view.php?id=CVE-2022-33099
01 Jul 2022 — An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs. Un problema en el componente luaG_runerror de Lua versiones v5.4.4 y posteriores, conlleva a un desbordamiento del búfer de la pila cuando es producido un error recursivo A vulnerability was found in Lua. During error handling, the luaG_errormsg() component uses slots from EXTRA_STACK. Some errors can recur such as a string overflow while creating an error message in 'luaG_runerror'... • https://github.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf • CWE-787: Out-of-bounds Write •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 3CVE-2022-28805 – lua: heap buffer overread
https://notcve.org/view.php?id=CVE-2022-28805
08 Apr 2022 — singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaK_exp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code. singlevar en lparser.c en Lua desde (incluyendo) 5.4.0 hasta (excluyendo) 5.4.4 carece de una determinada llamada a luaK_exp2anyregup, lo que lleva a una sobrelectura del búfer basada en la pila que podría afectar a un sistema que compila código Lua no fiable A heap buffer-overflow vulnerabil... • https://github.com/lua/lua/commit/1f3c6f4534c6411313361697d98d1145a1f030fa • CWE-125: Out-of-bounds Read •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 3CVE-2021-44964 – lua: use after free allows Sandbox Escape
https://notcve.org/view.php?id=CVE-2021-44964
14 Mar 2022 — Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file. Un uso de memoria previamente liberada en el recolector de basura y en el finalizador de lgc.c en el intérprete de Lua versiones 5.4.0~5.4.3, permite a atacantes llevar a cabo un Escape del Sandbox por medio de un archivo de script diseñado A flaw was found in the Lua interpreter. This flaw allows an attacker who can have a malicious script executed ... • http://lua-users.org/lists/lua-l/2021-11/msg00186.html • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2021-44647 – Gentoo Linux Security Advisory 202305-23
https://notcve.org/view.php?id=CVE-2021-44647
11 Jan 2022 — Lua v5.4.3 and above are affected by SEGV by type confusion in funcnamefromcode function in ldebug.c which can cause a local denial of service. Lua versión v5.4.3 y superiores están afectados por SEGV por confusión de tipo en la función funcnamefromcode en ldebug.c que puede causar una denegación de servicio local Multiple vulnerabilities have been discovered in Lua, the worst of which could result in arbitrary code execution. • http://lua-users.org/lists/lua-l/2021-11/msg00195.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2021-43519 – lua: stack overflow in lua_resume of ldo.c allows a DoS via a crafted script file
https://notcve.org/view.php?id=CVE-2021-43519
09 Nov 2021 — Stack overflow in lua_resume of ldo.c in Lua Interpreter 5.1.0~5.4.4 allows attackers to perform a Denial of Service via a crafted script file. UN desbordamiento de pila en la función lua_resume del archivo ldo.c en Lua Interpreter versiones 5.1.0~5.4.4, permite a atacantes llevar a cabo una Denegación de Servicio por medio de un archivo de script diseñado A stack overflow issue was discovered in Lua in the lua_resume() function of 'ldo.c'. This flaw allows a local attacker to pass a specially crafted file ... • http://lua-users.org/lists/lua-l/2021-10/msg00123.html • CWE-674: Uncontrolled Recursion CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24369
https://notcve.org/view.php?id=CVE-2020-24369
17 Aug 2020 — ldebug.c in Lua 5.4.0 attempts to access debug information via the line hook of a stripped function, leading to a NULL pointer dereference. El archivo ldebug.c en Lua versión 5.4.0, intenta acceder a la información de depuración por medio del enlace de línea de una función despojada, conllevando a una desreferencia del puntero NULL. • https://github.com/lua/lua/commit/ae5b5ba529753c7a653901ffc29b5ea24c3fdf3a • CWE-476: NULL Pointer Dereference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2020-24371
https://notcve.org/view.php?id=CVE-2020-24371
17 Aug 2020 — lgc.c in Lua 5.4.0 mishandles the interaction between barriers and the sweep phase, leading to a memory access violation involving collectgarbage. El archivo lgc.c en Lua versión 5.4.0, maneja inapropiadamente la interacción entre las barreras y la fase de barrido, conllevando a una violación de acceso a la memoria que involucra collectgarbage. • https://github.com/lua/lua/commit/a6da1472c0c5e05ff249325f979531ad51533110 • CWE-763: Release of Invalid Pointer or Reference •
CVSS: 5.3EPSS: 0%CPEs: 4EXPL: 2CVE-2020-24370 – lua: segmentation fault in getlocal and setlocal functions in ldebug.c
https://notcve.org/view.php?id=CVE-2020-24370
17 Aug 2020 — ldebug.c in Lua 5.4.0 allows a negation overflow and segmentation fault in getlocal and setlocal, as demonstrated by getlocal(3,2^31). El archivo ldebug.c en Lua versión 5.4.0, permite un desbordamiento de negación y un error de segmentación en getlocal y setlocal, como es demostrado por getlocal (3,2^31). Red Hat Advanced Cluster Management for Kubernetes 2.2.10 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reli... • https://github.com/RenukaSelvar/lua_CVE-2020-24370 • CWE-191: Integer Underflow (Wrap or Wraparound) CWE-682: Incorrect Calculation •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2020-24342
https://notcve.org/view.php?id=CVE-2020-24342
13 Aug 2020 — Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row. Lua versiones hasta 5.4.0, permite un cruce de redzone de pila en luaO_pushvfstring porque un mecanismo de protección llama erróneamente a luaD_callnoyield dos veces seguidas • http://lua-users.org/lists/lua-l/2020-07/msg00052.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •