CVE-2024-32973

Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. In affected versions an attacker with the ability to actively intercept network traffic would be able to use a specifically-crafted certificate to fool Pluto into trusting it to be the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected. This issue has been patched in pull request #851 which has been included in version 0.9.3. Users are advised to upgrade. there are no known workarounds for this vulnerability.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/PlutoLang/Pluto/pull/851
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-84hj-7j2v-w665
https://github.com/PlutoLang/Pluto/pull/851
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-84hj-7j2v-w665

Configurations

No configuration.

History

21 Nov 2024, 09:16

Type	Values Removed	Values Added
Summary		(es) Pluto es un superconjunto de Lua 5.4 centrado en la programación de propósito general. En las versiones afectadas, un atacante con la capacidad de interceptar activamente el tráfico de red podría utilizar un certificado manipulado específicamente para engañar a Pluto y hacerle confiar en que es el control remoto previsto para la sesión TLS. Esto da como resultado que la librería HTTP y socket.starttls proporcionen menos integridad de transporte de lo esperado. Este problema se solucionó en la solicitud de extracción n.° 851, que se incluyó en la versión 0.9.3. Se recomienda a los usuarios que actualicen. No se conocen workarounds para esta vulnerabilidad.
References	~~() https://github.com/PlutoLang/Pluto/pull/851 -~~	() https://github.com/PlutoLang/Pluto/pull/851 -
References	~~() https://github.com/PlutoLang/Pluto/security/advisories/GHSA-84hj-7j2v-w665 -~~	() https://github.com/PlutoLang/Pluto/security/advisories/GHSA-84hj-7j2v-w665 -

01 May 2024, 11:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-01 11:15

Updated : 2024-11-21 09:16

NVD link : CVE-2024-32973

Mitre link : CVE-2024-32973

CVE.ORG link : CVE-2024-32973

JSON object : View

Products Affected

No product.

CWE

CWE-284

Improper Access Control

4.8 /10