Cyber Resilience

CVE-2022-35978

High

Published: 15 August 2022

Published
15 August 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L
EPSS Score 0.1373 94.4th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-35978 is a high-severity Protection Mechanism Failure (CWE-693) vulnerability in Minetest Minetest. Its CVSS base score is 7.7 (High).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Minetest, a free open-source voxel game engine, is affected by CVE-2022-35978 in its single-player mode. A mod can set a global setting that specifies an arbitrary Lua script to be loaded for the main menu display; this script executes immediately after the game session ends in an unsandboxed Lua environment, allowing direct interference with the underlying user system. The flaw is tracked under CWE-693 with a CVSS 3.1 score of 7.7.

An attacker with the ability to supply or influence a mod can exploit the issue in single-player contexts to run unsandboxed code that alters or accesses the host system once the player exits the game. No user interface interaction is required after the mod is loaded, though the attack complexity is rated high and privileges are limited to the local context.

References including the GitHub Security Advisory GHSA-663q-pcjw-27cc, the fixing commit da71e86633d0b27cd02d7aac9fdac625d141ca13, and the 5.5.0 to 5.6.0 changelog document the remediation shipped in Minetest 5.6.0. The original advisory noted the absence of known workarounds prior to the patch. The associated EPSS score rose from a low baseline to a peak of 0.1921, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

Minetest is a free open-source voxel game engine with easy modding and game creation. In **single player**, a mod can set a global setting that controls the Lua script loaded to display the main menu. The script is then loaded…

more

as soon as the game session is exited. The Lua environment the menu runs in is not sandboxed and can directly interfere with the user's system. There are currently no known workarounds.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

minetest
minetest
≤ 5.6.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-693

Implements a reliable, tamperproof protection mechanism whose completeness can be assured.

addresses: CWE-693

Procedures for training on protection mechanisms reduce the chance of protection mechanism failures being present or exploitable.

addresses: CWE-693

Documented procedures to implement assessment, authorization, and monitoring controls prevent these protection mechanisms from failing due to undefined processes.

addresses: CWE-693

Direct evaluation of whether controls produce desired security outcomes detects protection mechanism failures and enables remediation.

addresses: CWE-693

Requires assessment that protection mechanisms are correctly implemented and producing intended security outcomes.

addresses: CWE-693

The POA&M process ensures identified weaknesses in protection mechanisms are documented and scheduled for remediation, reducing the duration they remain exploitable.

addresses: CWE-693

Ongoing control assessments and analysis of monitoring data enable timely detection and response when protection mechanisms fail.

addresses: CWE-693

Impact analysis identifies changes that could weaken or disable existing protection mechanisms.

References