CVE-2020-11722
CRITICALDungeon Crawl Stone Soup < 0.25 - Remote Code Execution via Lua Bytecode in .crawlrc Upload
Title source: llmDescription
Dungeon Crawl Stone Soup (aka DCSS or crawl) before 0.25 allows remote attackers to execute arbitrary code via Lua bytecode embedded in an uploaded .crawlrc file.
References (6)
Core 6
Core References
Patch, Third Party Advisory x_refsource_misc
https://dpmendenhall.blogspot.com/2020/03/dungeon-crawl-stone-soup.html
Patch, Third Party Advisory x_refsource_misc
https://github.com/crawl/crawl/commit/768f60da87a3fa0b5561da5ade9309577c176d04
Patch, Third Party Advisory x_refsource_misc
https://github.com/crawl/crawl/commit/fc522ff6eb1bbb85e3de60c60a45762571e48c28
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00037.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XNXK7QE7EA7XSDDNOWX2A6MJNWOIYCTC/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6QLPN635S7J3MUXLIHYK6MDAHEIASFYP/
Scores
CVSS v3
9.8
EPSS
0.0392
EPSS Percentile
89.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-434
Status
published
Products (1)
dungeon_crawl_stone_soup_project/dungeon_crawl_stone_soup
< 0.25
Published
Apr 12, 2020
Tracked Since
Feb 18, 2026