Remote Code Execution Vulnerability in Redis In-Memory Database
CVE-2024-46981
7HIGH
What is CVE-2024-46981?
An authenticated user in the Redis in-memory database can execute a specially crafted Lua script that manipulates the garbage collector. This manipulation could potentially allow the attacker to execute arbitrary code remotely. To mitigate this risk, users are advised to upgrade to the patched versions: 6.2.17, 7.2.7, and 7.4.2. Alternatively, users can restrict the execution of Lua scripts by implementing Access Control Lists (ACL) to prevent the use of EVAL and EVALSHA commands.
Affected Version(s)
redis >= 7.4.0, < 7.4.2 < 7.4.0, 7.4.2
redis >= 7.2.0, < 7.2.7 < 7.2.0, 7.2.7
redis < 6.2.17 < 6.2.17