Vulnerability CVE-2022-24736: Information

Description

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-24736
Published: April 27, 2022
Modified: Nov. 7, 2023
Error type identifier: CWE-476

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
redissisyphus6.2.8-alt17.2.4-alt1.1ALT-PU-2023-1049-1313485Fixed
redissisyphus_e2k6.2.8-alt17.2.4-alt1.1ALT-PU-2023-2207-1-Fixed
redissisyphus_riscv646.2.8-alt17.2.4-alt0.portALT-PU-2023-2211-1-Fixed
redisp106.2.8-alt16.2.14-alt1ALT-PU-2023-4137-2324230Fixed
redisp10_e2k6.2.8-alt16.2.14-alt1ALT-PU-2023-4233-1-Fixed
redisc10f16.2.8-alt16.2.13-alt1ALT-PU-2023-4153-2324231Fixed
redisc9f26.2.8-alt16.2.13-alt1ALT-PU-2023-4109-2324232Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://github.com/redis/redis/pull/10651
  • Exploit
  • Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984
  • Patch
  • Third Party Advisory
https://github.com/redis/redis/releases/tag/7.0.0
  • Release Notes
  • Third Party Advisory
https://github.com/redis/redis/releases/tag/6.2.7
  • Release Notes
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20220715-0003/
  • Third Party Advisory
N/A
  • Patch
  • Third Party Advisory
GLSA-202209-17
  • Third Party Advisory
FEDORA-2022-6ed1ce2838
    FEDORA-2022-a0a4c7eb31
      FEDORA-2022-44373f6778

          1. Configuration 1

            cpe:2.3:a:redis:redis:7.0:rc2:*:*:*:*:*:*
            cpe:2.3:a:redis:redis:7.0:rc3:*:*:*:*:*:*
            cpe:2.3:a:redis:redis:7.0:rc1:*:*:*:*:*:*
            cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
            End excliding
            6.2.7

            Configuration 2

            cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:a:netapp:management_services_for_element_software:-:*:*:*:*:*:*:*
            cpe:2.3:a:netapp:management_services_for_netapp_hci:-:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:a:oracle:communications_operations_monitor:4.3:*:*:*:*:*:*:*
            cpe:2.3:a:oracle:communications_operations_monitor:4.4:*:*:*:*:*:*:*
            cpe:2.3:a:oracle:communications_operations_monitor:5.0:*:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.4.2
        Back to top