CVE-2022-24735
Published on: Not Yet Published
Last Modified on: 10/07/2022 03:21:00 PM UTC
Certain versions of Fedora from Fedoraproject contain the following vulnerability:
Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
- CVE-2022-24735 has been assigned by
[email protected] to track the vulnerability - currently rated as HIGH severity. - Affected Vendor/Software: redis - redis version < 7.0.0
- Affected Vendor/Software: redis - redis version >= 6.0.0, < 6.2.7
CVSS3 Score: 7.8 - HIGH
| Attack Vector ⓘ |
Attack Complexity |
Privileges Required |
User Interaction |
|---|---|---|---|
| LOCAL | LOW | NONE | REQUIRED |
| Scope | Confidentiality Impact |
Integrity Impact |
Availability Impact |
| UNCHANGED | HIGH | HIGH | HIGH |
CVSS2 Score: 6.8 - MEDIUM
| Access Vector ⓘ |
Access Complexity |
Authentication |
|---|---|---|
| NETWORK | MEDIUM | NONE |
| Confidentiality Impact |
Integrity Impact |
Availability Impact |
| PARTIAL | PARTIAL | PARTIAL |
CVE References
| Description | Tags ⓘ | Link |
|---|---|---|
| Redis: Multiple Vulnerabilities (GLSA 202209-17) — Gentoo security | security.gentoo.org text/html |
GENTOO GLSA-202209-17 |
| Lua readonly tables (CVE-2022-24736, CVE-2022-24735) by oranagra · Pull Request #10651 · redis/redis · GitHub | github.com text/html |
MISC github.com/redis/redis/pull/10651 |
| [SECURITY] Fedora 34 Update: redis-6.2.7-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-a0a4c7eb31 |
| Lua scripts can be manipulated to overcome ACL rules · Advisory · redis/redis · GitHub | github.com text/html |
CONFIRM github.com/redis/redis/security/advisories/GHSA-647m-2wmq-qmvq |
| Release 6.2.7 · redis/redis · GitHub | github.com text/html |
MISC github.com/redis/redis/releases/tag/6.2.7 |
| [SECURITY] Fedora 36 Update: redis-6.2.7-1.fc36 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-6ed1ce2838 |
| June 2022 Redis Vulnerabilities in NetApp Products | NetApp Product Security | security.netapp.com text/html |
CONFIRM security.netapp.com/advisory/ntap-20220715-0003/ |
| Release 7.0.0 · redis/redis · GitHub | github.com text/html |
MISC github.com/redis/redis/releases/tag/7.0.0 |
| [SECURITY] Fedora 35 Update: redis-6.2.7-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org text/html |
FEDORA FEDORA-2022-44373f6778 |
| Oracle Critical Patch Update Advisory - July 2022 | www.oracle.com text/html |
MISC www.oracle.com/security-alerts/cpujul2022.html |
Related QID Numbers
- 160251 Oracle Enterprise Linux Security Update for redis:6 (ELSA-2022-7541)
- 160274 Oracle Enterprise Linux Security Update for redis (ELSA-2022-8096)
- 240842 Red Hat Update for redis:6 security (RHSA-2022:7541)
- 240892 Red Hat Update for redis (RHSA-2022:8096)
- 282657 Fedora Security Update for redis (FEDORA-2022-a0a4c7eb31)
- 282658 Fedora Security Update for redis (FEDORA-2022-44373f6778)
- 282724 Fedora Security Update for redis (FEDORA-2022-6ed1ce2838)
- 354282 Amazon Linux Security Advisory for redis6 : ALAS2022-2022-115
- 354379 Amazon Linux Security Advisory for redis6 : ALAS2022-2022-199
- 501778 Alpine Linux Security Update for redis
- 690857 Free Berkeley Software Distribution (FreeBSD) Security Update for redis (cc42db1c-c65f-11ec-ad96-0800270512f4)
- 710625 Gentoo Linux Redis Multiple Vulnerabilities (GLSA 202209-17)
- 753389 SUSE Enterprise Linux Security Update for redis (SUSE-SU-2022:1929-1)
- 753479 SUSE Enterprise Linux Security Update for redis (SUSE-SU-2022:1842-1)
- 901295 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9627)
- 901608 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9598)
- 902320 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9598-1)
- 902478 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9627-1)
- 940762 AlmaLinux Security Update for redis:6 (ALSA-2022:7541)
- 940817 AlmaLinux Security Update for redis (ALSA-2022:8096)
- 960465 Rocky Linux Security Update for redis:6 (RLSA-2022:7541)
Exploit/POC from Github
This repository contains a collection of data files on known Common Vulnerabilities and Exposures (CVEs). Each file i…
Known Affected Configurations (CPE V2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Operating System | Fedoraproject | Fedora | 36 | All | All | All |
| Application | Netapp | Management Services For Element Software | - | All | All | All |
| Application | Netapp | Management Services For Netapp Hci | - | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.3 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.4 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 5.0 | All | All | All |
| Application | Redis | Redis | All | All | All | All |
| Application | Redis | Redis | 7.0 | rc1 | All | All |
| Application | Redis | Redis | 7.0 | rc2 | All | All |
| Application | Redis | Redis | 7.0 | rc3 | All | All |
- cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*:
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*:
- cpe:2.3:a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*:
- cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*:
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*:
- cpe:2.3:a:redis:redis:7.0:rc1:*:*:*:*:*:*:
- cpe:2.3:a:redis:redis:7.0:rc2:*:*:*:*:*:*:
- cpe:2.3:a:redis:redis:7.0:rc3:*:*:*:*:*:*:
No vendor comments have been submitted for this CVE
Social Mentions
| Source | Title | Posted (UTC) |
|---|---|---|
 @appd8_io |
? Redis (@Redisinc) v6.2.7 and v7.0.0 released to address CVE-2022-24735 and CVE-2022-24736: "By exploiting weakne… twitter.com/i/web/status/1… | 2022-04-27 15:33:25 |
| @redisfeed |
[RELEASE] Redis 6.2.7 is out! Upgrade urgency: SECURITY. * CVE-2022-24736 * CVE-2022-24735 Mailing list discussi… twitter.com/i/web/status/1… | 2022-04-27 17:03:52 |
| @CVEreport |
CVE-2022-24735 : Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script e… twitter.com/i/web/status/1… | 2022-04-27 19:48:34 |
 /r/netcve |
CVE-2022-24735 | 2022-04-27 19:53:02 |
| /r/opnsense |
Seems Like OPNsense 22.1.6 Really Needs an Update Soon... | 2022-05-05 18:58:28 |
| /r/synology |
DSM Version: 7.1.1-42951 (Release Candidate) | 2022-08-10 06:07:14 |
| /r/synology |
Has anyone seen the release notes for the latest DSM 7.1.1 Release Candidate. Fixes a scary amount of CVEs. | 2022-08-16 14:26:29 |
| /r/synology |
DSM 7.1.1-42962 released! | 2022-09-05 11:39:36 |