CVE-2022-24834

HIGH

Redis < 6.0.20 - Remote Code Execution

Title source: rule

Description

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Exploits (2)

nomisec WORKING POC 23 stars

by convisolabs · poc

https://github.com/convisolabs/CVE-2022-24834

View Code ZIP pw:eip

nomisec WORKING POC

by DukeSec97 · poc

https://github.com/DukeSec97/CVE-2022-24834-

View Code ZIP pw:eip

References (4)

[Vendor Advisory] https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/[email protected]/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230814-0006/

Scores

CVSS v3 7.0

EPSS 0.4729

EPSS Percentile 97.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-122 CWE-680

Status published

Products (3)

fedoraproject/fedora 37

fedoraproject/fedora 38

redis/redis 2.6.0 - 6.0.20

Published Jul 13, 2023

Tracked Since Feb 18, 2026