Lucene search

[email protected]CVE-2022-0543

HistoryFeb 18, 2022 - 8:15 p.m.

CVE-2022-0543

2022-02-1820:15:00

CWE-862

[email protected]

web.nvd.nist.gov

1158

In Wild

cve-2022-0543

redis

key-value database

debian

lua sandbox

escape

remote code execution

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%

JSON

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

CPENameOperatorVersion
redis:redisrediseq-

CPE	Name	Operator	Version
redis:redis	redis	eq	-

References

packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html

bugs.debian.org/1005787

lists.debian.org/debian-security-announce/2022/msg00048.html

security.netapp.com/advisory/ntap-20220331-0004/

www.debian.org/security/2022/dsa-5081

www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce

Social References

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.971 High

EPSS

Percentile

99.8%

JSON

CVE-2022-0543

References

Social References

Related