CVE-2019-19391

{"id": "CVE-2019-19391", "cveTags": [{"tags": ["disputed"], "sourceIdentifier": "[email protected]"}], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "[email protected]", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2019-11-29T16:15:10.577", "references": [{"url": "https://github.com/LuaJIT/LuaJIT/pull/526", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "[email protected]"}, {"url": "https://github.com/LuaJIT/LuaJIT/pull/526", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00022.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-843"}]}], "descriptions": [{"lang": "en", "value": "In LuaJIT through 2.0.5, as used in Moonjit before 2.1.2 and other products, debug.getinfo has a type confusion issue that leads to arbitrary memory write or read operations, because certain cases involving valid stack levels and > options are mishandled. NOTE: The LuaJIT project owner states that the debug libary is unsafe by definition and that this is not a vulnerability. When LuaJIT was originally developed, the expectation was that the entire debug library had no security guarantees and thus it made no sense to assign CVEs. However, not all users of later LuaJIT derivatives share this perspective"}, {"lang": "es", "value": "** EN DISPUTA ** En LuaJIT hasta la versi\u00f3n 2.0.5, como se usaba en Moonjit antes de 2.1.2 y otros productos, debug.getinfo tiene un problema de confusi\u00f3n de tipos que conduce a operaciones arbitrarias de escritura o lectura de memoria, porque ciertos casos involucran niveles de pila v\u00e1lidos y > las opciones se manejan mal. NOTA: El propietario del proyecto LuaJIT declara que la biblioteca de depuraci\u00f3n no es segura por definici\u00f3n y que esto no es una vulnerabilidad. Cuando LuaJIT se desarroll\u00f3 originalmente, la expectativa era que toda la biblioteca de depuraci\u00f3n no ten\u00eda garant\u00edas de seguridad y, por lo tanto, no ten\u00eda sentido asignar CVE. Sin embargo, no todos los usuarios de derivados posteriores de LuaJIT comparten esta perspectiva."}], "lastModified": "2025-11-03T19:15:39.210", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:luajit:luajit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7369364F-A393-4616-B40E-8097CA70E957", "versionEndIncluding": "2.0.5"}, {"criteria": "cpe:2.3:a:moonjit_project:moonjit:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2A0BBC39-249D-469C-B5B3-4B2148E5C719", "versionEndExcluding": "2.1.2"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}