Unrated severityNVD Advisory· Published Jul 13, 2023· Updated Feb 13, 2025

Heap overflow issue with the Lua cjson library used by Redis

CVE-2022-24834

Description

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

Affected products

Redis/Redisv5
Range: >= 7.0.0, < 7.0.12

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838mitrex_refsource_CONFIRM
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/mitre
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/mitre
security.netapp.com/advisory/ntap-20230814-0006/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.036
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000