Vulnerability Database
296,746
Total vulnerabilities in the database
CVE-2023-32700
LuaTeX before 1.17.0 allows execution of arbitrary shell commands when compiling a TeX file obtained from an untrusted source. This occurs because luatex-core.lua lets the original io.popen be accessed. This also affects TeX Live before 2023 r66984 and MiKTeX before 23.5.
| Software | From | Fixed in |
|---|---|---|
| luatex_project / luatex | 1.04 | 1.16.2 |
| miktex / miktex | 2.9.6300 | 23.5 |
| tug / tex_live | 2017 | 2023 |
- https://github.com/TeX-Live/texlive-source/releases/tag/build-svn66984
- https://gitlab.lisn.upsaclay.fr/texlive/luatex/-/tags/1.17.0
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RLY43MIRONJSJVNBDFQHQ26MP3JIOB3H/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF6YXUUFRGBIXIIIEV5SGBJXXT2SMUK5/
- https://tug.org/~mseven/luatex.html
- https://tug.org/pipermail/tex-live/2023-May/049188.html
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime