CVE-2019-19391
Last modified
CVE-2019-19391 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. EPSS estimates a 1.33% chance of exploitation in the next 30 days.
Description
In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Luajit | Luajit | <= 2.0.5 |
| Moonjit Project | Moonjit | < 2.1.2 |
References
- https://github.com/LuaJIT/LuaJIT/pull/526Issue Tracking, Patch, Third Party Advisory
- https://github.com/LuaJIT/LuaJIT/pull/526Issue Tracking, Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-19391?
How severe is CVE-2019-19391?
How do I fix CVE-2019-19391?
Are you affected by CVE-2019-19391?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST