CVE-2024-31449

HIGH LAB

Redis < 6.2.16 - Improper Input Validation

Title source: rule

Description

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploits (1)

nomisec WORKING POC

by daeseong1209 · poc

https://github.com/daeseong1209/CVE-2024-31449

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5

[Patch] https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9

Scores

CVSS v3 7.0

EPSS 0.6183

EPSS Percentile 98.3%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Lab Environment

COMMUNITY

Community Lab

docker pull redis@sha256:9bc34afe08ca30ef179404318cdebe6430ceda35a4ebe4b67d10789b17bdf7c4

https://github.com/daeseong1209/CVE-2024-31449

View in Library

Details

CWE

CWE-121 CWE-20

Status published

Products (2)

redis/redis 7.4.0 (3 CPE variants)

redis/redis 2.8.18 - 6.2.16

Published Oct 07, 2024

Tracked Since Feb 18, 2026