Remote Code Execution Vulnerability in Redis In-Memory Database
CVE-2024-46981

7HIGH

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
6 January 2025

What is CVE-2024-46981?

An authenticated user in the Redis in-memory database can execute a specially crafted Lua script that manipulates the garbage collector. This manipulation could potentially allow the attacker to execute arbitrary code remotely. To mitigate this risk, users are advised to upgrade to the patched versions: 6.2.17, 7.2.7, and 7.4.2. Alternatively, users can restrict the execution of Lua scripts by implementing Access Control Lists (ACL) to prevent the use of EVAL and EVALSHA commands.

Affected Version(s)

redis >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2

redis >= 7.2.0, < 7.2.7 < 7.2.0, 7.2.7

redis < 6.2.17 < 6.2.17

References

https://github.com/redis/redis/security/advisories/GHSA-3...
x_refsource_CONFIRM
https://github.com/redis/redis/releases/tag/6.2.17
x_refsource_MISC
https://github.com/redis/redis/releases/tag/7.2.7
x_refsource_MISC

EPSS Score

73% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-46981 : Remote Code Execution Vulnerability in Redis In-Memory Database