CVE-2020-15890

Опубликовано: 11 июл. 2020

Источник: redhat

CVSS3: 7.5

Описание

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.

A flaw was found in luajit. An out-of-bounds read can occur due to a frame traversal being mishandled.

Отчет

OpenShift ServiceMesh proxy does package a vulnerable version of luajit. The segmentation fault is triggered via creating a inline code rule in the envoy filter, however envoy can also be caused to exit via a code rule which is also not syntactically correct either. A user who has permissions to change the filter rule can have the same affect regardless, hence this issue will not be addressed at this time and might be fixed in a future release.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
OpenShift Service Mesh 1	servicemesh-proxy	Will not fix
Advanced Virtualization for RHEL 8.2.1	virt	Fixed	RHBA-2020:3172	28.07.2020
Advanced Virtualization for RHEL 8.2.1	virt-devel	Fixed	RHBA-2020:3172	28.07.2020

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-125

https://bugzilla.redhat.com/show_bug.cgi?id=1860324luajit: out-of-bounds read because __gc handler frame traversal is mishandled

7.5 High

CVSS3

Связанные уязвимости

CVE-2020-15890

CVSS3: 7.5

ubuntu

больше 5 лет назад

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.

CVE-2020-15890

CVSS3: 7.5

nvd

больше 5 лет назад

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.

CVE-2020-15890

CVSS3: 7.5

debian

больше 5 лет назад

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc hand ...

GHSA-fv6p-x8x2-5jcc

CVSS3: 7.5

github

больше 3 лет назад

LuaJit through 2.1.0-beta3 has an out-of-bounds read because __gc handler frame traversal is mishandled.

BDU:2021-01326

CVSS3: 7.5

fstec

больше 5 лет назад

Уязвимость функции static ptrdiff_t finderrfunc из src/lj_err.c компилятора LuaJIT языка программированя Lua, позволяющая нарушителю вызвать отказ в обслуживании

7.5 High

CVSS3