Ankitects Anki MPV script injection vulnerability

Talos Vulnerability Report TALOS-2024-1993 Ankitects Anki MPV script injection vulnerability July 22, 2024 CVE Number CVE-2024-26020 SUMMARY An arbitrary script execution vulnerability exists in the MPV functionality of Ankitects Anki 24.04. A specially crafted flashcard can lead to a arbitrary...

RHEL 8 : redis (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched. - redis: Redis SORTRO may bypass ACL configuration CVE-2023-41053 Note that Nessus has not tested for this issue but...

Mysterious Cyber Attack Took Down 600,000+ Routers in the U.S.

More than 600,000 small office/home office SOHO routers are estimated to have been bricked and taken offline following a destructive cyber attack staged by unidentified cyber actors, disrupting users' access to the internet. The mysterious event, which took place between October 25 and 27, 2023,...

BIT-REDIS-2022-24735 Lua scripts can be manipulated to overcome ACL rules in Redis

Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the potentially higher privileges of another Redis user. The Lua scri...

BIT-REDIS-2022-24834 Heap overflow issue with the Lua cjson library used by Redis

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support,...

BIT-APACHE-2022-29404 Denial of service in mod_lua r:parsebody

In Apache HTTP Server 2.4.53 and earlier, a malicious request to a lua script that calls r:parsebody0 may cause a denial of service due to no default limit on possible input size...

Rhadamanthys Malware: Swiss Army Knife of Information Stealers Emerges

The developers of the information stealer malware known as Rhadamanthys are actively iterating on its features, broadening its information-gathering capabilities and also incorporating a plugin system to make it more customizable. This approach not only transforms it into a threat capable of...

USN-6531-1 redis vulnerabilities

Seiya Nakata and Yudai Fujiwara discovered that Redis incorrectly handled certain specially crafted Lua scripts. An attacker could possibly use this issue to cause heap corruption and execute arbitrary code. CVE-2022-24834 SeungHyun Lee discovered that Redis incorrectly handled specially crafted...

Amazon Linux 2 : redis (ALASREDIS6-2023-003)

The version of redis installed on the remote host is prior to 6.2.7-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2REDIS6-2023-003 advisory. A flaw was found in the Redis database where Lua scripts can be manipulated to overcome ACL rules. This flaw allows an...

MGASA-2023-0246 Updated redis packages fix security vulnerability

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. CVE-2022-24834...

Updated redis packages fix security vulnerability

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution. CVE-2022-24834...

Amazon Linux 2023 : redis6, redis6-devel (ALAS2023-2023-291)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2023-291 advisory. A heap-based buffer overflow flaw was found in Redis. This flaw allows an attacker to trick an authenticated user into executing a specially crafted Lua script in Redis. This attack triggers a heap...

CVE-2022-24834

CVE-2022-24834 describes a heap overflow in Redis’s Lua cjson/cmsgpack libraries that could lead to heap corruption and potentially remote code execution. The vulnerability affects Redis with Lua scripting support (from version 2.6 onward) and requires authenticated/authorized access. Affected re...

Redis 安全漏洞

Redis Labs Redis is an open source, network-enabled, memory-based, persistent logging, key-value Key-Value storage database written in ANSI C by Redis Labs, Inc. and provides APIs in multiple languages. A security vulnerability exists in Redis versions prior to 7.0.12, 6.2.13, and 6.0.20, which...

CVE-2022-24834

A heap-based buffer overflow flaw was found in Redis. This flaw allows a local authenticated attacker user or attacker to execute a specially crafted Lua script in Redis. This attack triggers a heap overflow in the cjson and cmsgpack libraries, resulting in heap corruption and potential remote co...

FreeBSD : redis -- Heap overflow in the cjson and cmsgpack libraries (0e254b4a-1f37-11ee-a475-080027f5fec9)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 0e254b4a-1f37-11ee-a475-080027f5fec9 advisory. - Redis core team reports: A specially crafted Lua script executing in Redis can trigger a heap overflo...

redis -- Heap overflow in the cjson and cmsgpack libraries

Redis core team reports: A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution...

CVE-2023-27496 Envoy may crash when a redirect url without a state param is received in the oauth filter

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, the OAuth filter assumes that a state query param is present on any response that looks like an OAuth redirect response. Sending it a request with t...

CBL Mariner 2.0 Security Update: redis (CVE-2022-24735)

The version of redis installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-24735 advisory. - Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution...

CVE-2023-27224

An issue found in NginxProxyManager v.2.9.19 allows an attacker to execute arbitrary code via a lua script to the configuration file...