Unrated severityNVD Advisory· Published Apr 27, 2022· Updated Apr 22, 2025
A Malformed Lua script can crash Redis
CVE-2022-24736
Description
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
13- osv-coords11 versionspkg:bitnami/keydbpkg:bitnami/redispkg:bitnami/valkeypkg:rpm/almalinux/redispkg:rpm/almalinux/redis-develpkg:rpm/almalinux/redis-docpkg:rpm/opensuse/redis&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/redis&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/redis&distro=openSUSE%20Tumbleweedpkg:rpm/suse/redis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3pkg:rpm/suse/redis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP4
< 6.2.7+ 10 more
- (no CPE)range: < 6.2.7
- (no CPE)range: < 6.2.7
- (no CPE)range: < 6.2.7
- (no CPE)range: < 6.2.7-1.module_el8.7.0+3288+a82c1b48
- (no CPE)range: < 6.2.7-1.module_el8.7.0+3288+a82c1b48
- (no CPE)range: < 6.2.7-1.module_el8.7.0+3288+a82c1b48
- (no CPE)range: < 6.0.14-150200.6.11.1
- (no CPE)range: < 6.2.6-150400.3.3.7
- (no CPE)range: < 6.2.7-1.1
- (no CPE)range: < 6.0.14-150200.6.11.1
- (no CPE)range: < 6.2.6-150400.3.3.7
Patches
Vulnerability mechanics
References
10- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J4ZK3675DGHVVDOFLJN7WX6YYH27GPMK/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VPYKSG7LKUJGVM2P72EHXKVRVRWHLORX/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WSTPUCAPBRHIFPSCOURR4OYX4E2OISAF/mitrevendor-advisoryx_refsource_FEDORA
- security.gentoo.org/glsa/202209-17mitrevendor-advisoryx_refsource_GENTOO
- github.com/redis/redis/pull/10651mitrex_refsource_MISC
- github.com/redis/redis/releases/tag/6.2.7mitrex_refsource_MISC
- github.com/redis/redis/releases/tag/7.0.0mitrex_refsource_MISC
- github.com/redis/redis/security/advisories/GHSA-3qpw-7686-5984mitrex_refsource_CONFIRM
- security.netapp.com/advisory/ntap-20220715-0003/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpujul2022.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.