CVE-2022-24735

Summary

CVE	CVE-2022-24735
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2022-04-27 20:15:00 UTC
Updated	2023-11-07 03:44:00 UTC
Description	Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weaknesses of these measures have been publicly known for a long time, but they had no security impact as the Redis security model did not endorse the concept of users or privileges. With the introduction of ACLs in Redis 6.0, these weaknesses can be exploited by a less privileged users to inject Lua code that will execute at a later time, when a privileged user executes a Lua script. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

Risk And Classification

Problem Types: CWE-94

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Fedoraproject	Fedora	34	All	All	All
Operating System	Fedoraproject	Fedora	35	All	All	All
Operating System	Fedoraproject	Fedora	36	All	All	All
Application	Netapp	Management Services For Element Software	-	All	All	All
Application	Netapp	Management Services For Netapp Hci	-	All	All	All
Application	Oracle	Communications Operations Monitor	4.3	All	All	All
Application	Oracle	Communications Operations Monitor	4.4	All	All	All
Application	Oracle	Communications Operations Monitor	5.0	All	All	All
Application	Redis	Redis	All	All	All	All
Application	Redis	Redis	7.0	rc1	All	All
Application	Redis	Redis	7.0	rc2	All	All
Application	Redis	Redis	7.0	rc3	All	All

References

Reference	Source	Link	Tags
Redis: Multiple Vulnerabilities (GLSA 202209-17) — Gentoo security	GENTOO	security.gentoo.org
Lua readonly tables (CVE-2022-24736, CVE-2022-24735) by oranagra · Pull Request #10651 · redis/redis · GitHub	MISC	github.com
[SECURITY] Fedora 35 Update: redis-6.2.7-1.fc35 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[SECURITY] Fedora 34 Update: redis-6.2.7-1.fc34 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Lua scripts can be manipulated to overcome ACL rules · Advisory · redis/redis · GitHub	CONFIRM	github.com
Release 6.2.7 · redis/redis · GitHub	MISC	github.com
[SECURITY] Fedora 36 Update: redis-6.2.7-1.fc36 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
June 2022 Redis Vulnerabilities in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
[SECURITY] Fedora 36 Update: redis-6.2.7-1.fc36 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Release 7.0.0 · redis/redis · GitHub	MISC	github.com
[SECURITY] Fedora 35 Update: redis-6.2.7-1.fc35 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 34 Update: redis-6.2.7-1.fc34 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Oracle Critical Patch Update Advisory - July 2022	N/A	www.oracle.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

160251 Oracle Enterprise Linux Security Update for redis:6 (ELSA-2022-7541)
160274 Oracle Enterprise Linux Security Update for redis (ELSA-2022-8096)
184172 Debian Security Update for redis (CVE-2022-24735)
240842 Red Hat Update for redis:6 security (RHSA-2022:7541)
240892 Red Hat Update for redis (RHSA-2022:8096)
282657 Fedora Security Update for redis (FEDORA-2022-a0a4c7eb31)
282658 Fedora Security Update for redis (FEDORA-2022-44373f6778)
282724 Fedora Security Update for redis (FEDORA-2022-6ed1ce2838)
354282 Amazon Linux Security Advisory for redis6 : ALAS2022-2022-115
354379 Amazon Linux Security Advisory for redis6 : ALAS2022-2022-199
355285 Amazon Linux Security Advisory for redis6 : ALAS2023-2023-064
356197 Amazon Linux Security Advisory for redis : ALASREDIS6-2023-003
501778 Alpine Linux Security Update for redis
504357 Alpine Linux Security Update for redis
690857 Free Berkeley Software Distribution (FreeBSD) Security Update for redis (cc42db1c-c65f-11ec-ad96-0800270512f4)
710625 Gentoo Linux Redis Multiple Vulnerabilities (GLSA 202209-17)
753389 SUSE Enterprise Linux Security Update for redis (SUSE-SU-2022:1929-1)
753479 SUSE Enterprise Linux Security Update for redis (SUSE-SU-2022:1842-1)
901295 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9627)
901608 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9598)
902320 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9598-1)
902478 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (9627-1)
940762 AlmaLinux Security Update for redis:6 (ALSA-2022:7541)
940817 AlmaLinux Security Update for redis (ALSA-2022:8096)
960465 Rocky Linux Security Update for redis:6 (RLSA-2022:7541)
960477 Rocky Linux Security Update for redis (RLSA-2022:8096)