CVE-2022-24834

Description

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

How to fix CVE-2022-24834

To remediate CVE-2022-24834, upgrade the affected package to a fixed version below.

• —upgrade to 7.0.12-r0 or later
• —upgrade to 6.0.20 or later
• —upgrade to 6.0.20 or later
• —upgrade to 6.0.20 or later
• —upgrade to 5:6.0.16-1+deb11u3 or later
• —upgrade to 5:7.0.15-1~deb12u1 or later
• —upgrade to 5:6.0.16-1+deb11u3 or later

Is CVE-2022-24834 being exploited?

Moderate — EPSS is 49.3%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (7)

• from 0, < 7.0.12-r0
• >= 2.6.0, < 6.0.20, >= 6.2.0, < 6.2.13, >= 7.0.0, < 7.0.12
• >= 2.6.0, < 6.0.20, >= 6.2.0, < 6.2.13, >= 7.0.0, < 7.0.12
• >= 2.6.0, < 6.0.20, >= 6.2.0, < 6.2.13, >= 7.0.0, < 7.0.12
• from 0, < 5:6.0.16-1+deb11u3
• from 0, < 5:7.0.15-1~deb12u1
• from 0, < 5:6.0.16-1+deb11u3

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-24834
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-24834
• WEBgithub.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838
• WEBlists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/