CVE-2022-24834

2023-07-1315:15:08

CWE-122

CWE-680

[email protected]

web.nvd.nist.gov

redis

cve-2022-24834

lua script

heap overflow

remote code execution

information security

nvd

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

8.7 High

AI Score

Confidence

High

0.003 Low

EPSS

Percentile

70.8%

JSON

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Affected configurations

Vulners

NVD

Node

redisredisRange7.0.0–7.0.12

redisredisRange6.2.0–6.2.13

redisredisRange6.0.0–6.0.20

VendorProductVersionCPE
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redis	redis	*	cpe:2.3:a:redis:redis::::::::
redis	redis	*	cpe:2.3:a:redis:redis::::::::
redis	redis	*	cpe:2.3:a:redis:redis::::::::

CNA Affected

[
  {
    "vendor": "redis",
    "product": "redis",
    "versions": [
      {
        "version": ">= 7.0.0, < 7.0.12",
        "status": "affected"
      },
      {
        "version": ">= 6.2.0, < 6.2.13",
        "status": "affected"
      },
      {
        "version": ">= 6.0.0, < 6.0.20",
        "status": "affected"
      }
    ]
  }
]