Lucene search

[email protected]NVD:CVE-2022-24736

HistoryApr 27, 2022 - 8:15 p.m.

CVE-2022-24736

2022-04-2720:15:09

CWE-476

[email protected]

web.nvd.nist.gov

redis

null pointer dereference

lua scripting

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

28.0%

JSON

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.

Affected configurations

Nvd

Node

redisredisRange<6.2.7

redisredisMatch7.0rc1

redisredisMatch7.0rc2

redisredisMatch7.0rc3

Node

fedoraprojectfedoraMatch34

fedoraprojectfedoraMatch35

fedoraprojectfedoraMatch36

Node

netappmanagement_services_for_element_softwareMatch-

netappmanagement_services_for_netapp_hciMatch-

Node

oraclecommunications_operations_monitorMatch4.3

oraclecommunications_operations_monitorMatch4.4

oraclecommunications_operations_monitorMatch5.0

VendorProductVersionCPE
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
redisredis7.0cpe:2.3:a:redis:redis:7.0:rc1:*:*:*:*:*:*
redisredis7.0cpe:2.3:a:redis:redis:7.0:rc2:*:*:*:*:*:*
redisredis7.0cpe:2.3:a:redis:redis:7.0:rc3:*:*:*:*:*:*
fedoraprojectfedora34cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
fedoraprojectfedora35cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
fedoraprojectfedora36cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
netappmanagement_services_for_element_software-cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*
netappmanagement_services_for_netapp_hci-cpe:2.3:a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*
oraclecommunications_operations_monitor4.3cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redis	redis	*	cpe:2.3:a:redis:redis::::::::
redis	redis	7.0	cpe:2.3:a:redis:redis:7.0:rc1::::::
redis	redis	7.0	cpe:2.3:a:redis:redis:7.0:rc2::::::
redis	redis	7.0	cpe:2.3:a:redis:redis:7.0:rc3::::::
fedoraproject	fedora	34	cpe:2.3:o:fedoraproject:fedora:34:::::::*
fedoraproject	fedora	35	cpe:2.3:o:fedoraproject:fedora:35:::::::*
fedoraproject	fedora	36	cpe:2.3:o:fedoraproject:fedora:36:::::::*
netapp	management_services_for_element_software	-	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
netapp	management_services_for_netapp_hci	-	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::*
oracle	communications_operations_monitor	4.3	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*