Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2019-6706 |
CWE-ID | CWE-416 |
Exploitation vector | Network |
Public exploit | Public exploit code for vulnerability #1 is available. |
Vulnerable software Subscribe |
lua5.3 (Alpine package) Operating systems & Components / Operating system package or component |
Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU17229
Risk: Low
CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]
CVE-ID: CVE-2019-6706
CWE-ID:
CWE-416 - Use After Free
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a geap use-after-free error in lua_upvaluejoin in lapi.c. A remote attacker who is able to trigger a debug.upvaluejoin call in which the arguments have certain relationships can cause the service to crash.
MitigationInstall update from vendor's website.
Vulnerable software versionslua5.3 (Alpine package): 5.3.4-r2 - 5.3.5-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=dd508687ca234b47651455c15b64b4e6263f20d5
http://git.alpinelinux.org/aports/commit/?id=145a4f50eed17c1f3776a9ba77ea45fd38a620ed
http://git.alpinelinux.org/aports/commit/?id=7571f6ce08088d0644c95da6b1c4a780078951a8
http://git.alpinelinux.org/aports/commit/?id=7ad58d2fec12ba6086e2774460d4bfe9e91471a9
http://git.alpinelinux.org/aports/commit/?id=ebd55722b9637f4559c94b13e5e061ffef9fb4a3
http://git.alpinelinux.org/aports/commit/?id=fda894f6c300cc264f5ca3fb93f499fe51a15750
http://git.alpinelinux.org/aports/commit/?id=23eacac21afa63d71f78d619df4ce5e0b728051d
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.