PT-2022-2530 · Redis+8 · Redis+8

Published

2022-02-10

·

Updated

2025-12-09

·

CVE-2022-24735

CVSS v2.0

6.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Redis versions prior to 7.0.0 and 6.2.7
Description The issue is related to weaknesses in the Lua script execution environment in Redis, which can be exploited by a less privileged user to inject Lua code that will execute with potentially higher privileges of another Redis user. This is possible due to the introduction of ACLs in Redis 6.0. The Lua script execution environment provides measures to prevent side effects, but several weaknesses have been publicly known for a long time. These weaknesses can now be exploited to inject Lua code that will execute at a later time when a privileged user executes a Lua script.
Recommendations For Redis versions prior to 7.0.0, update to version 7.0.0 or later. For Redis versions prior to 6.2.7, update to version 6.2.7 or later. As a temporary workaround, if Lua scripting is not being used, consider blocking access to SCRIPT LOAD and EVAL commands using ACL rules.

Exploit

Fix

Code Injection

Special Elements Injection

Weakness Enumeration

CWE-94CWE-74

Related Identifiers

ALSA-2022:7541
ALSA-2022:8096
ALSA-2022_7541
ALSA-2022_8096
ALT-PU-2023-1049
ALT-PU-2023-4109
ALT-PU-2023-4137
ALT-PU-2023-4153
AZL-45285
AZL-71173
AZL-9598
BDU:2022-02945
BIT-KEYDB-2022-24735
BIT-REDIS-2022-24735
BIT-VALKEY-2022-24735
CESA-2022_7541
CVE-2022-24735
GHSA-647M-2WMQ-QMVQ
INFSA-2022_8096
MGASA-2022-0339
OESA-2022-1823
OESA-2025-1157
OPENSUSE-SU-2022_1842-1
OPENSUSE-SU-2022_1929-1
OPENSUSE-SU-2024:12030-1
RHSA-2022:7541
RHSA-2022:8096
RHSA-2022_7541
RHSA-2022_8096
RLSA-2022:7541
RLSA-2022:8096
SUSE-SU-2022:1842-1
SUSE-SU-2022:1929-1
SUSE-SU-2022_1842-1
SUSE-SU-2022_1929-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Debian
Red Hat
Redis
Rocky Linux
Suse