CVE-2022-35978

Name
CVE-2022-35978
Description
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/minetest/minetest/commit/da71e86633d0b27cd02d7aac9fdac625d141ca13
CONFIRM https://github.com/minetest/minetest/security/advisories/GHSA-663q-pcjw-27cc
MISC https://dev.minetest.net/Changelog#5.5.0_.E2.86.92_5.6.0

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:minetest:minetest:*:*:*:*:*:*:*:* minetest >= None < 5.6.0

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
minetest 3.16-community 5.5.1-r0 Patrycja Rosa <alpine@ptrcnull.me> possibly vulnerable