Vulnerability Description
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redis | Redis | < 6.2.7 |
| Fedoraproject | Fedora | 34 |
| Netapp | Management Services For Element Software | - |
| Netapp | Management Services For Netapp Hci | - |
| Oracle | Communications Operations Monitor | 4.3 |
Related Weaknesses (CWE)
References
- https://github.com/redis/redis/pull/10651ExploitThird Party Advisory
- https://github.com/redis/redis/releases/tag/6.2.7Release NotesThird Party Advisory
- https://github.com/redis/redis/releases/tag/7.0.0Release NotesThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202209-17Third Party Advisory
- https://security.netapp.com/advisory/ntap-20220715-0003/Third Party Advisory
- https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
- https://github.com/redis/redis/pull/10651ExploitThird Party Advisory
- https://github.com/redis/redis/releases/tag/6.2.7Release NotesThird Party Advisory
- https://github.com/redis/redis/releases/tag/7.0.0Release NotesThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984PatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2022-24736?
CVE-2022-24736 is a vulnerability with a CVSS score of 3.3 (LOW). Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will res...
How severe is CVE-2022-24736?
CVE-2022-24736 has been rated LOW with a CVSS base score of 3.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-24736?
Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis, Fedoraproject Fedora, Netapp Management Services For Element Software, Netapp Management Services For Netapp Hci, Oracle Communications Operations Monitor.