cbcvebase.
CVE-2022-24834
published 2023-07-13

CVE-2022-24834: Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
42.92%
98.6th percentile
Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Affected

22 ranges
VendorProductVersion rangeFixed in
debianredis< redis 5:7.0.15-1~deb12u1 (bookworm)redis 5:7.0.15-1~deb12u1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_redis_6.2.13-2_on_cbl_mariner_2.0
niflexlogger<= 23.2
niflexlogger<= 2023
niflexlogger
nisystemlink<= 2024
nisystemlink
nisystemlink_server<= 24.1
redisredis>= 0 < 5:6.0.16-1+deb11u35:6.0.16-1+deb11u3
redisredis>= 0 < 5:7.0.15-1~deb12u15:7.0.15-1~deb12u1
redisredis>= 0 < 5:7.0.12-15:7.0.12-1
redisredis>= 0 < 5:7.0.12-15:7.0.12-1
redisredis>= 0 < 2:2.8.4-2ubuntu0.2+esm32:2.8.4-2ubuntu0.2+esm3
redisredis>= 0 < 2:3.0.6-1ubuntu0.4+esm22:3.0.6-1ubuntu0.4+esm2
redisredis>= 0 < 5:4.0.9-1ubuntu0.2+esm45:4.0.9-1ubuntu0.2+esm4
redisredis>= 0 < 5:5.0.7-2ubuntu0.1+esm25:5.0.7-2ubuntu0.1+esm2
redisredis>= 0 < 5:6.0.16-1ubuntu1+esm15:6.0.16-1ubuntu1+esm1
redisredis>= 2.6.0 < 6.0.206.0.20
redisredis>= 6.2.0 < 6.2.136.2.13
redisredis>= 7.0.0 < 7.0.127.0.12

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: a specially crafted Lua script executing in Redis triggers a heap overflow in the cjson or cmsgpack library, leading to heap corruption and potentially remote code execution
  • Affected attack surface: EVAL and EVALSHA Redis commands used to submit malicious Lua scripts; restrict or monitor these commands via ACL
  • Scope limited to authenticated and authorized Redis users; monitor for unusual Lua script execution by authenticated sessions
  • Vulnerable libraries are cjson and cmsgpack within Redis's Lua scripting subsystem; heap overflow occurs in these libraries when processing crafted input
  • ·Vulnerability affects all Redis versions with Lua scripting support starting from 2.6; fixed versions are 7.0.12, 6.2.13, and 6.0.20 — ensure deployed Redis instances are patched to these versions or later
  • ·NI SystemLink Server 2024 Q1 and prior, and NI FlexLogger 2023 Q2 and prior, ship an out-of-date Redis and are affected
  • ·Debian bookworm fix is in package version 5:7.0.15-1~deb12u1; bullseye fix is in 5:6.0.16-1+deb11u3; forky/sid/trixie fix is in 5:7.0.12-1
  • ·Red Hat rh-redis6-redis (Software Collections) and 3scale-amp-system-container are marked 'Will not fix'; factor this into risk acceptance decisions

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_msrc8.8HIGH
vendor_oracle8.8HIGH
vendor_ubuntu8.8HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.