CVE-2022-35978
Published: 15 August 2022
Summary
CVE-2022-35978 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Minetest Minetest. Its CVSS base score is 7.7 (High).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Minetest, a free open-source voxel game engine, is affected by CVE-2022-35978 in its single-player mode. A mod can set a global setting that specifies an arbitrary Lua script to be loaded for the main menu display; this script executes immediately after the game session ends in an unsandboxed Lua environment, allowing direct interference with the underlying user system. The flaw is tracked under CWE-693 with a CVSS 3.1 score of 7.7.
An attacker with the ability to supply or influence a mod can exploit the issue in single-player contexts to run unsandboxed code that alters or accesses the host system once the player exits the game. No user interface interaction is required after the mod is loaded, though the attack complexity is rated high and privileges are limited to the local context.
References including the GitHub Security Advisory GHSA-663q-pcjw-27cc, the fixing commit da71e86633d0b27cd02d7aac9fdac625d141ca13, and the 5.5.0 to 5.6.0 changelog document the remediation shipped in Minetest 5.6.0. The original advisory noted the absence of known workarounds prior to the patch. The associated EPSS score rose from a low baseline to a peak of 0.1921, indicating emerging exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-38805
Vulnerability details
Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded…
more
as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Implements a reliable, tamperproof protection mechanism whose completeness can be assured.
Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.
Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.
Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.
Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.
The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.
Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.
Impact analysis identifies changes that could weaken or disable existing protection mechanisms.