Products
Pluto
- UNKNOWN
Source
security-advisories@github.com
Tags
CVE-2024-45597 details
Published : Sept. 10, 2024, 10:15 p.m.
Last Modified : Sept. 10, 2024, 10:15 p.m.
Last Modified : Sept. 10, 2024, 10:15 p.m.
Description
Pluto is a superset of Lua 5.4 with a focus on general-purpose programming. Scripts passing user-controlled values to http.request header values are affected. An attacker could use this to send arbitrary requests, potentially leveraging authentication tokens provided in the same headers table.
CVSS Score
1 | 2 | 3 | 4 | 5.3 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|---|---|
CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
Base Score
5.3
Exploitability Score
3.9
Impact Score
1.4
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
URL | Source |
---|---|
https://github.com/PlutoLang/Pluto/pull/945 | security-advisories@github.com |
https://github.com/PlutoLang/Pluto/security/advisories/GHSA-w8xp-pmx2-37w7 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.