CVE-2022-24834

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Published: Jul 13, 2023
Updated: Jul 26, 2023
CVE: CVE-2022-24834
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-122
CWE-680

Affected Software
References

Software	From	Fixed in
redis / redis	7.0.0	7.0.12
redis / redis	6.2.0	6.2.13
redis / redis	2.6.0	6.0.20
fedoraproject / fedora	37	37.x
fedoraproject / fedora	38	38.x

https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838
https://lists.fedoraproject.org/archives/list/[email protected]/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/
https://lists.fedoraproject.org/archives/list/[email protected]/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/
https://security.netapp.com/advisory/ntap-20230814-0006/

Vulnerability Database

289,599

CVE-2022-24834