CVE-2022-33099

Description

An issue in the component luaG_runerror of Lua v5.4.4 and below leads to a heap-buffer overflow when a recursive error occurs.

How to fix CVE-2022-33099

To remediate CVE-2022-33099, upgrade the affected package to a fixed version below.

• Bitnami/lua—upgrade to 5.4.5 or later
• Debian/lua5.4—no fix listed

Is CVE-2022-33099 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• >= 5.4.2, < 5.4.5
• from 0

CVSS scores

References (9)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-33099
• WEBgithub.com/lua/lua/commit/42d40581dd919fb134c07027ca1ce0844c670daf
• WEBlists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RJNJ66IFDUKWJJZXHGOLRGIA3HWWC36R/
• WEB