Heap use-after-free in lua5.3 (Alpine package)

1) Heap use-after-free

EUVDB-ID: #VU17229

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-6706

CWE-ID: CWE-416 - Use After Free

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a geap use-after-free error in lua_upvaluejoin in lapi.c. A remote attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships can cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

lua5.3 (Alpine package): 5.3.4-r2 - 5.3.5-r0

External links

http://git.alpinelinux.org/aports/commit/?id=dd508687ca234b47651455c15b64b4e6263f20d5
http://git.alpinelinux.org/aports/commit/?id=145a4f50eed17c1f3776a9ba77ea45fd38a620ed
http://git.alpinelinux.org/aports/commit/?id=7571f6ce08088d0644c95da6b1c4a780078951a8
http://git.alpinelinux.org/aports/commit/?id=7ad58d2fec12ba6086e2774460d4bfe9e91471a9
http://git.alpinelinux.org/aports/commit/?id=ebd55722b9637f4559c94b13e5e061ffef9fb4a3
http://git.alpinelinux.org/aports/commit/?id=fda894f6c300cc264f5ca3fb93f499fe51a15750
http://git.alpinelinux.org/aports/commit/?id=23eacac21afa63d71f78d619df4ce5e0b728051d

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.