Here is a negation overflow in lua about civetweb HOT 5 OPEN

I have checked this vulnerability a while ago, and rated it differently in the environment of the webserver.
The Lua code is provided by the server owner, not the user of the web server - so it is actually "trusted code" or requires the server administrator to put the Lua script there.
This means, it requires a privileged user to put the Lua code there (changing PR:N to PR:H):
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
With a base score of 2.7 I ignored this until the new official Lua version is integrated later. If an attacker can bring a modified Lua code to be executed by the server, there are more dangerous attacks than exploiting this.
I am not opposing a fix, if there is one ready to integrate with little effort. I just considered this CVE as not dangerous in the context of the CivetWeb application and therefore did not create a new version.

from civetweb.

So maybe I can open a PR for it to fix this vulnerability?

from civetweb.

Yes, you can.
But sooner or later it is going to be replaced by the most recent Lua version - then everything fixed upstream will be here as well.

from civetweb.

Hi, I've open a PR which is #1246, please check it, thank you!

from civetweb.

Automatic integration tests are started, but I will need to do a few manual tests after this as well.

from civetweb.