10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.019 Low
EPSS
Percentile
88.6%
Ben Murphy reports:
It is possible to break out of the Lua sandbox in
Redis and execute arbitrary code.
This shouldn’t pose a threat to users under the
trusted Redis security model where only trusted
users can connect to the database. However, in real
deployments there could be databases that can be
accessed by untrusted users. The main deployments
that are vulnerable are developers machines, places
where redis servers can be reached via SSRF attacks
and cloud hosting.