{"api_version":"1","generated_at":"2026-04-23T09:53:01+00:00","cve":"CVE-2022-24834","urls":{"html":"https://cve.report/CVE-2022-24834","api":"https://cve.report/api/cve/CVE-2022-24834.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-24834","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-24834"},"summary":{"title":"CVE-2022-24834","description":"Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-07-13 15:15:00","updated_at":"2023-08-14 19:15:00"},"problem_types":["CWE-122","CWE-680"],"metrics":[],"references":[{"url":"https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838","name":"https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838","refsource":"MISC","tags":[],"title":"Heap overflow issue with the Lua cjson and cmsgpack libraries used by Redis · Advisory · redis/redis · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230814-0006/","name":"https://security.netapp.com/advisory/ntap-20230814-0006/","refsource":"MISC","tags":[],"title":"CVE-2022-24834 Redis Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: redis-7.0.12-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: redis-7.0.12-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-24834","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24834","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"24834","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24834","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2022","cve_id":"24834","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redis","cpe5":"redis","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-24834","qid":"199978","title":"Ubuntu Security Notification for Redis Vulnerabilities (USN-6531-1)"},{"cve":"CVE-2022-24834","qid":"284322","title":"Fedora Security Update for redis (FEDORA-2023-c406ba1ff6)"},{"cve":"CVE-2022-24834","qid":"284325","title":"Fedora Security Update for redis (FEDORA-2023-800612d23a)"},{"cve":"CVE-2022-24834","qid":"355808","title":"Amazon Linux Security Advisory for redis6 : ALAS2023-2023-291"},{"cve":"CVE-2022-24834","qid":"356269","title":"Amazon Linux Security Advisory for redis : ALASREDIS6-2023-002"},{"cve":"CVE-2022-24834","qid":"505928","title":"Alpine Linux Security Update for redis"},{"cve":"CVE-2022-24834","qid":"6000455","title":"Debian Security Update for redis (DSA 5610-1)"},{"cve":"CVE-2022-24834","qid":"691209","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for redis (0e254b4a-1f37-11ee-a475-080027f5fec9)"},{"cve":"CVE-2022-24834","qid":"907325","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for redis (27477-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2022-24834","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-122: Heap-based Buffer Overflow","cweId":"CWE-122"}]},{"description":[{"lang":"eng","value":"CWE-680: Integer Overflow to Buffer Overflow","cweId":"CWE-680"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"redis","product":{"product_data":[{"product_name":"redis","version":{"version_data":[{"version_affected":"=","version_value":">= 7.0.0, < 7.0.12"},{"version_affected":"=","version_value":">= 6.2.0, < 6.2.13"},{"version_affected":"=","version_value":">= 6.0.0, < 6.0.20"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838","refsource":"MISC","name":"https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/"},{"url":"https://security.netapp.com/advisory/ntap-20230814-0006/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230814-0006/"}]},"source":{"advisory":"GHSA-p8x2-9v9q-c838","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"HIGH","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":7,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-07-13 15:15:00","lastModifiedDate":"2023-08-14 19:15:00","problem_types":["CWE-122","CWE-680"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.0","versionEndExcluding":"6.2.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionStartIncluding":"2.6.0","versionEndExcluding":"6.0.20","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"24834","Ordinal":"228174","Title":"CVE-2022-24834","CVE":"CVE-2022-24834","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"24834","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}