CVE-2020-24342

HIGH EPSS 61.1%
Published Aug 13, 20205y ago · Modified Jun 17, 20262w ago
7.8 CVSS 3.1
High
Find Similar
Published Aug 13, 2020 5y ago
Last Modified Jun 17, 2026 2w ago

Description

Lua through 5.4.0 allows a stack redzone cross in luaO_pushvfstring because a protection mechanism wrongly calls luaD_callnoyield twice in a row.

CVSS Details

Base Score
7.8
Exploitability
1.8
Impact
5.9
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
61.1% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Memory Safety

Affected Products 2

VendorProductVersionRange
lualua5.4.0any
fedoraprojectfedora33any

References 3

  • lua-users.org http://lua-users.org/lists/lua-l/2020-07/msg00052.html
    ExploitMailing ListVendor Advisory
  • github.com https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
    PatchThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA5Q5MDQMTGXRQO3PAQ4EZFTYWJXZM5N/

Remediation

  • github.com https://github.com/lua/lua/commit/34affe7a63fc5d842580a9f23616d057e17dfe27
    PatchThird Party Advisory