A Malformed Lua script can crash Redis
CVE-2022-24736

3.3LOW

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
27 April 2022

What is CVE-2022-24736?

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.

Affected Version(s)

redis < 6.2.7 < 6.2.7

redis < 7.0.0 < 7.0.0

References

https://github.com/redis/redis/pull/10651
x_refsource_MISC
https://github.com/redis/redis/releases/tag/6.2.7
x_refsource_MISC
https://github.com/redis/redis/releases/tag/7.0.0
x_refsource_MISC

CVSS V3.1

Score:
3.3
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.