First published: Sat May 20 2023(Updated: )
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Luatex Project Luatex | >=1.04<1.16.2 | |
Miktex Miktex | >=2.9.6300<23.5 | |
Tug Tex Live | >=2017<2023 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-32700 is a vulnerability in LuaTeX before version 1.17.0 that allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source.
CVE-2023-32700 occurs because the luatex-core.lua file in LuaTeX lets the original io.popen be accessed, which allows execution of arbitrary shell commands.
The software affected by CVE-2023-32700 includes LuaTeX, TeX Live before 2023 r66984, and MiKTeX before 23.5.
The severity of CVE-2023-32700 is high, with a severity score of 7.8.
To fix CVE-2023-32700, update LuaTeX to version 1.17.0 or later, TeX Live to version 2023 r66984 or later, or MiKTeX to version 23.5 or later.