#VU33088 Buffer overflow - CVE-2014-5461

Cybersecurity Help s.r.o.

Published: 2014-09-04 | Updated: 2020-08-03

Vulnerability identifier: #VU33088

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-5461

CWE-ID: CWE-119

Exploitation vector: Network

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments.

Mitigation
Install update from vendor's website.

External links
https://advisories.mageia.org/MGASA-2014-0414.html
https://lists.opensuse.org/opensuse-updates/2014-09/msg00030.html
https://secunia.com/advisories/59890
https://secunia.com/advisories/60869
https://secunia.com/advisories/61411
https://www.debian.org/security/2014/dsa-3015
https://www.debian.org/security/2014/dsa-3016
https://www.lua.org/bugs.html#5.2.2-1
https://www.mandriva.com/security/advisories?name=MDVSA-2015:144
https://www.openwall.com/lists/oss-security/2014/08/21/1
https://www.openwall.com/lists/oss-security/2014/08/21/4
https://www.openwall.com/lists/oss-security/2014/08/27/2
https://www.securityfocus.com/bid/69342
https://www.ubuntu.com/usn/USN-2338-1
https://security.gentoo.org/glsa/201701-53

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Lua

Amazon Linux AMI update for lua

Buffer overflow in lua5.2 (Alpine package)