CVE-2024-32973

Name of the Vulnerable Software and Affected Versions Pluto versions prior to 0.9.3

Description The issue affects Pluto, a superset of Lua 5.4, allowing an attacker who can intercept network traffic to use a specifically-crafted certificate to fool Pluto into trusting it as the intended remote for the TLS session. This results in the HTTP library and socket.starttls providing less transport integrity than expected.

Recommendations For versions prior to 0.9.3, upgrade to version 0.9.3 to resolve the issue. As a temporary workaround, consider restricting the use of the HTTP library and socket.starttls until the upgrade is applied.