CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
60.0%
Redis is an in-memory database that persists on disk. By exploiting
weaknesses in the Lua script execution environment, an attacker with access
to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will
execute with the (potentially higher) privileges of another Redis user. The
Lua script execution environment in Redis provides some measures that
prevent a script from creating side effects that persist and can affect the
execution of the same, or different script, at a later time. Several
weaknesses of these measures have been publicly known for a long time, but
they had no security impact as the Redis security model did not endorse the
concept of users or privileges. With the introduction of ACLs in Redis 6.0,
these weaknesses can be exploited by a less privileged users to inject Lua
code that will execute at a later time, when a privileged user executes a
Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An
additional workaround to mitigate this problem without patching the
redis-server executable, if Lua scripting is not being used, is to block
access to SCRIPT LOAD
and EVAL
commands using ACL rules.
github.com/redis/redis/pull/10651
github.com/redis/redis/releases/tag/6.2.7
github.com/redis/redis/releases/tag/7.0.0
github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq
launchpad.net/bugs/cve/CVE-2022-24735
nvd.nist.gov/vuln/detail/CVE-2022-24735
security-tracker.debian.org/tracker/CVE-2022-24735
www.cve.org/CVERecord?id=CVE-2022-24735
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
60.0%