7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
59.5%
Redis is an in-memory database that persists on disk. By exploiting
weaknesses in the Lua script execution environment, an attacker with access
to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user. The
Lua script execution environment in Redis provides some measures that
prevent a script from creating side effects that persist and can affect the
execution of the same, or different script, at a later time. Several
weaknesses of these measures have been publicly known for a long time, but
they had no security impact as the Redis security model did not endorse the
concept of users or privileges. With the introduction of ACLs in Redis 6.0,
these weaknesses can be exploited by a less privileged users to inject Lua
code that will execute at a later time, when a privileged user executes a
Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An
additional workaround to mitigate this problem without patching the
redis-server executable, if Lua scripting is not being used, is to block
access to SCRIPT LOAD
and EVAL
commands using ACL rules.
github.com/redis/redis/pull/10651
github.com/redis/redis/releases/tag/6.2.7
github.com/redis/redis/releases/tag/7.0.0
github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq
launchpad.net/bugs/cve/CVE-2022-24735
nvd.nist.gov/vuln/detail/CVE-2022-24735
security-tracker.debian.org/tracker/CVE-2022-24735
www.cve.org/CVERecord?id=CVE-2022-24735
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.002 Low
EPSS
Percentile
59.5%