CVE-2022-24834

CVSS V2 None CVSS V3 None

Description

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Overview

CVE ID
CVE-2022-24834

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2023-07-13T14:35:41.181Z

Last Modified Date
2023-07-13T14:35:41.181Z

Weakness Enumerations

CWE	URL
CWE-122	http://cwe.mitre.org/data/definitions/122.html
CWE-680	http://cwe.mitre.org/data/definitions/680.html

References

Reference URL	Reference Tags
https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838	x_refsource_CONFIRM
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/
https://security.netapp.com/advisory/ntap-20230814-0006/

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2022-24834
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24834

History

Created	Old Value	New Value	Data Type	Notes
2024-06-24 17:33:44				Added to TrackCVE