CVE-2022-24736

Description

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

How to fix CVE-2022-24736

To remediate CVE-2022-24736, upgrade the affected package to a fixed version below.

• —upgrade to 6.2.7-r0 or later
• —upgrade to 6.2.7 or later
• —upgrade to 6.2.7 or later
• —upgrade to 6.2.7 or later
• —no fix listed

Is CVE-2022-24736 being exploited?

Low — EPSS is 1.7%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 6.2.7-r0
• from 0, < 6.2.7
• from 0, < 6.2.7
• from 0, < 6.2.7
• from 0

CVSS scores

References (13)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-24736
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-24736
• WEBgithub.com/redis/redis/pull/10651
• WEBgithub.com/redis/redis/releases/tag/6.2.7
• WEB