CVE Vulnerability

CVE-2021-44964

Use after free in garbage collector and finalizer of lgc.c in Lua interpreter 5.4.0~5.4.3 allows attackers to perform Sandbox Escape via a crafted script file.

4.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 8.6 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

6.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 4

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References
Link Resource
http://lua-users.org/lists/lua-l/2021-12/msg00030.html Mailing List Vendor Advisory
http://lua-users.org/lists/lua-l/2021-12/msg00015.html Mailing List Vendor Advisory
https://github.com/Lua-Project/lua-5.4.4-sandbox-escape-with-new-vulnerability Exploit Third Party Advisory
http://lua-users.org/lists/lua-l/2021-11/msg00186.html Exploit Mailing List
http://lua-users.org/lists/lua-l/2021-12/msg00007.html Exploit Mailing List
Configurations

Configuration 1

cpe:2.3:a:lua:lua:*:*:*:*:*:*:*:*
Information

Published : 2022-03-14 03:15

Updated : 2022-03-21 05:17

NVD link : CVE-2021-44964

Mitre link : CVE-2021-44964

Products Affected
No products.
CWE
CWE-416