CVE-2019-19391

EPSS 0.27%
Published 29.11.2019 16:15:10
Last modified 21.11.2024 04:34:42
Source cve@mitre.org
CVE-Watchlists
Login
Open
Login

In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Luajit ≫ Luajit Version <= 2.0.5

Moonjit Project ≫ Moonjit Version < 2.1.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.27%	0.504

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvd@nist.gov	6.4	10	4.9	AV:N/AC:L/Au:N/C:P/I:P/A:N

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion')

The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.

https://github.com/LuaJIT/LuaJIT/pull/526

Patch

Third Party Advisory

Issue Tracking

https://nvd.nist.gov/vuln/detail/CVE-2019-19391

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-19391

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-19391

EUVD