Main Vulnerability Database Vulnerabilities #VU14013

Code injection in The Battle for Wesnoth - CVE-2018-1999023

Published: July 25, 2018 / Updated: July 26, 2018

Vulnerability identifier: #VU14013

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2018-1999023

CWE-ID: CWE-94

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: The Battle for Wesnoth Project

Affected software:
The Battle for Wesnoth

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a code injection in the Lua scripting engine. A remote unauthenticated attacker can load a specially crafted saved games, networked games, replays, and player content to execute arbitrary code outside the sandbox.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

How to mitigate CVE-2018-1999023

Update to version 1.14.4.

Sources

https://gist.github.com/shikadiqueen/45951ddc981cf8e0d9a74e4b30400380

Code injection in The Battle for Wesnoth - CVE-2018-1999023

Detailed vulnerability description

How to mitigate CVE-2018-1999023

Sources

Please verify you're human