Unrated severityNVD Advisory· Published Oct 7, 2024· Updated Nov 19, 2024

Lua library commands may lead to stack overflow and RCE in Redis

CVE-2024-31449

Description

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products

Redis/Redisv5
Range: >= 2.6, < 6.2.16

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9mitrex_refsource_MISC
github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.045
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000