CVE-2015-4335

Name of the Vulnerable Software and Affected Versions Redis versions prior to 2.8.21 Redis versions 3.x prior to 3.0.2

Description The issue allows remote attackers to execute arbitrary Lua bytecode via the eval command. It is related to incorrect data type conversion in the deps/lua/src/ldo.c component of the Redis database management system. Exploitation of the issue may allow a remote attacker to execute arbitrary Lua bytecode using a specially crafted eval command.

Recommendations For Redis versions prior to 2.8.21, update to version 2.8.21 or later. For Redis versions 3.x prior to 3.0.2, update to version 3.0.2 or later. As a temporary workaround, consider restricting access to the eval command until a patch is available.