Lucene search

K
cveGitHub_MCVE-2022-24736
HistoryApr 27, 2022 - 8:15 p.m.

CVE-2022-24736

2022-04-2720:15:09
CWE-476
GitHub_M
web.nvd.nist.gov
152
4
redis
cve-2022-24736
in-memory database
security vulnerability
null pointer dereference
lua script
crash
mitigation
acl rules

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6

Confidence

High

EPSS

0.001

Percentile

28.0%

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.

Affected configurations

Nvd
Vulners
Node
redisredisRange<6.2.7
OR
redisredisMatch7.0rc1
OR
redisredisMatch7.0rc2
OR
redisredisMatch7.0rc3
Node
fedoraprojectfedoraMatch34
OR
fedoraprojectfedoraMatch35
OR
fedoraprojectfedoraMatch36
Node
netappmanagement_services_for_element_softwareMatch-
OR
netappmanagement_services_for_netapp_hciMatch-
Node
oraclecommunications_operations_monitorMatch4.3
OR
oraclecommunications_operations_monitorMatch4.4
OR
oraclecommunications_operations_monitorMatch5.0
VendorProductVersionCPE
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "redis",
    "vendor": "redis",
    "versions": [
      {
        "status": "affected",
        "version": "< 6.2.7"
      },
      {
        "status": "affected",
        "version": "< 7.0.0"
      }
    ]
  }
]

Social References

More

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

AI Score

6

Confidence

High

EPSS

0.001

Percentile

28.0%