CVE-2022-28805: Critical severity lua lpeg vulnerability
Published Apr 8, 2022
·Updated
Last updated 29 July 2024
Other sources
singlevar in lparser.c in Lua from (including) 5.4.0 up to (excluding) 5.4.4 lacks a certain luaKexp2anyregup call, leading to a heap-based buffer over-read that might affect a system that compiles untrusted Lua code.
Affected Software
9 affected componentsFixes available
debian/lua5.1
5.1.5-8.15.1.5-9
debian/lua5.2
5.2.4-1.15.2.4-3
debian/lua5.3
5.3.3-1.1+deb11u15.3.6-2
debian/lua5.4<=5.4.2-2
5.4.4-3+deb12u15.4.6-3
debian/lua50
5.0.3-8.1
Lua LPeg>=5.4.0<5.4.5
fedoraproject fedora=35
fedoraproject fedora=36
Lua LPeg>=5.4.0<=5.4.4
Remediation
Event History
Apr 8, 2022
CVE Published
via MITRE·12:00 AM
Data Sourced
via MITRE·12:00 AM
Description
Jul 29, 2024
Data Sourced
via Launchpad·05:57 AM
Description
Sep 15, 2024
Data Sourced
via Ubuntu·06:03 AM
RemedyDescriptionSeverityAffected Software
Frequently Asked Questions
1
What is the vulnerability ID of this vulnerability?
The vulnerability ID is CVE-2022-28805.
2
What is the severity of CVE-2022-28805?
The severity of CVE-2022-28805 is critical with a CVSS score of 9.1.
3
Which versions of Lua are affected by CVE-2022-28805?
Lua versions from 5.4.0 up to (excluding) 5.4.4 are affected by CVE-2022-28805.
4
Which systems are affected by CVE-2022-28805?
Systems with Lua versions from 5.4.0 up to (excluding) 5.4.4 are affected by CVE-2022-28805. Additionally, Fedora 35 and Fedora 36 are also affected.
5
How can CVE-2022-28805 be exploited?
CVE-2022-28805 can be exploited by compiling untrusted Lua code, leading to a heap-based buffer over-read.