QwikSec

Security Database

CVE

CWE

Training

CVE-2023-32700

Published: May 20, 2023

Modified: Jan 31, 2025

PUBLISHED

Description

LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://tug.org/pipermail/tex-live/2023-May/049188.html

https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0

https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984

https://tug.org/~mseven/luatex.html

FEDORA-2023-38094d905c

vendor-advisory

FEDORA-2023-d261122726

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.