CVE-2022-24735

CWE-94 — Code Injection7 documents7 sources

Severity

7.8HIGH

EPSS

1.7%

top 17.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Redis Fedoraproject Fedora Oracle Communications Operations Monitor

Timeline

PublishedApr 27

Latest updateJul 15

Description

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Se…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.3 | Impact: 2.5

Affected Packages4 packages

▶CVEListV5redis/redis< 7.0.0+1

▶NVDredis/redis< 6.2.7+1

▶Debianredis< 5:7.0.1-4+2

▶NVDoracle/communications_operations_monitor4.3, 4.4, 5.0+2

Also affects: Fedora 34, 35, 36

Patches

Patch: www.oracle.com ↗Patch: www.oracle.com ↗

🔴Vulnerability Details

CVEList

Lua scripts can be manipulated to overcome ACL rules in Redis↗2022-04-27

▶

OSV

CVE-2022-24735: Redis is an in-memory database that persists on disk↗2022-04-27

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Fraud Detection Monitor (Redis) — CVE-2022-24735↗2022-07-15

▶

Red Hat

redis: Code injection via Lua script execution environment↗2022-04-27

▶

Microsoft

Lua scripts can be manipulated to overcome ACL rules in Redis↗2022-04-12

▶

Debian

CVE-2022-24735: redis - Redis is an in-memory database that persists on disk. By exploiting weaknesses i...↗2022

▶