CVE-2022-35978: Lua sandbox escape from mod in Minetest
First published: Mon Aug 15 2022(Updated: )
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Minetest Minetest | <5.6.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2022-35978?
CVE-2022-35978 is a vulnerability in the Minetest game engine that allows a mod to set a global setting that controls the Lua script loaded to display the main menu, which could lead to remote code execution.
What is the severity of CVE-2022-35978?
CVE-2022-35978 has a severity rating of critical with a value of 10.
What software versions are affected by CVE-2022-35978?
Minetest versions up to and excluding 5.6.0 are affected by CVE-2022-35978.
How can I fix CVE-2022-35978?
Update Minetest to version 5.6.0 or later to mitigate CVE-2022-35978.
Where can I find more information about CVE-2022-35978?
You can find more information about CVE-2022-35978 in the Minetest changelog [1], the related GitHub commit [2], and the GitHub security advisory [3].
- collector/nvd-index
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/last-modified-date
- agent/references
- agent/severity
- agent/author
- agent/remedy
- agent/event
- agent/first-publish-date
- agent/description
- agent/tags
- agent/source
- vendor/minetest
- canonical/minetest minetest