CVE-2022-24735

Redis is an in-memory database that persists on disk. By exploiting
weaknesses in the Lua script execution environment, an attacker with access
to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user. The
Lua script execution environment in Redis provides some measures that
prevent a script from creating side effects that persist and can affect the
execution of the same, or different script, at a later time. Several
weaknesses of these measures have been publicly known for a long time, but
they had no security impact as the Redis security model did not endorse the
concept of users or privileges. With the introduction of ACLs in Redis 6.0,
these weaknesses can be exploited by a less privileged users to inject Lua
code that will execute at a later time, when a privileged user executes a
Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An
additional workaround to mitigate this problem without patching the
redis-server executable, if Lua scripting is not being used, is to block
access to SCRIPT LOAD and EVAL commands using ACL rules.