Cyber Resilience

CVE-2022-24736

LowPublic PoC

Published: 27 April 2022

Published
27 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0173 82.8th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24736 is a low-severity NULL Pointer Dereference (CWE-476) vulnerability in Redis Redis. Its CVSS base score is 3.3 (Low).

Operationally, ranked in the top 17.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process.…

more

The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
7.0 · ≤ 6.2.7
fedoraproject
fedora
34, 35, 36
netapp
management services for element software
all versions
netapp
management services for netapp hci
all versions
oracle
communications operations monitor
4.3, 4.4, 5.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References