Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2022-24736

Public on 2022-04-27
Modified on 2024-01-12
Description

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

Severity
Low
See what this means
CVSS v3 Base Score
3.3
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Redis6 Extra redis 2023-08-21 20:59 ALAS2REDIS6-2023-003
Amazon Linux 2023 redis6 2023-02-17 20:45 ALAS2023-2023-064

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
NVD CVSSv2 2.1 AV:L/AC:L/Au:N/C:N/I:N/A:P
NVD CVSSv3 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

References

Red Hat: CVE-2022-24736 Mitre: CVE-2022-24736 FAQs regarding Amazon Linux ALAS/CVE Severity