PT-2022-2530 · Redis +8 · Redis +8

Published

2022-02-10

·

Updated

2025-07-11

·

CVE-2022-24735

Report an issue
CVSS v2.0
6.8
VectorAV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions:

Redis versions prior to 7.0.0 and 6.2.7

Description:

The issue is related to weaknesses in the Lua script execution environment in Redis, which can be exploited by a less privileged user to inject Lua code that will execute with potentially higher privileges of another Redis user. This is possible due to the introduction of ACLs in Redis 6.0. The Lua script execution environment provides measures to prevent side effects, but several weaknesses have been publicly known for a long time. These weaknesses can now be exploited to inject Lua code that will execute at a later time when a privileged user executes a Lua script.

Recommendations:

For Redis versions prior to 7.0.0, update to version 7.0.0 or later.

For Redis versions prior to 6.2.7, update to version 6.2.7 or later.

As a temporary workaround, if Lua scripting is not being used, consider blocking access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

Exploit

Fix

Code Injection

Special Elements Injection

Weakness Enumeration

CWE-94CWE-74

Related Identifiers

ALSA-2022:7541
ALSA-2022:8096
ALT-PU-2023-4109
ALT-PU-2023-4137
ALT-PU-2023-4153
BDU:2022-02945
BIT-KEYDB-2022-24735
BIT-REDIS-2022-24735
BIT-VALKEY-2022-24735
CESA-2022_7541
CVE-2022-24735
GHSA-647M-2WMQ-QMVQ
INFSA-2022_8096
MGASA-2022-0339
OPENSUSE-SU-2022_1842-1
OPENSUSE-SU-2022_1929-1
OPENSUSE-SU-2024:12030-1
RHSA-2022:7541
RHSA-2022:8096
RHSA-2022_7541
RHSA-2022_8096
RLSA-2022:7541
RLSA-2022:8096
SUSE-SU-2022:1842-1
SUSE-SU-2022:1929-1
SUSE-SU-2022_1842-1
SUSE-SU-2022_1929-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Red Hat
Redis
Rocky Linux
Suse