CVE-2022-24834
Published: 13 July 2023
Summary
CVE-2022-24834 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Redis is an in-memory database with optional Lua scripting support. CVE-2022-24834 is a heap overflow in the bundled cjson library that can be triggered by a specially crafted Lua script, resulting in heap corruption and potential remote code execution. The flaw affects every Redis release from 2.6 onward that includes Lua scripting and is reachable only by authenticated, authorized users.
An attacker who already possesses a valid Redis account can submit the malicious script and achieve arbitrary code execution on the server. The CVSS vector (AV:L/AC:H/PR:L) indicates the attack requires local access or an existing authenticated session and involves non-trivial complexity.
The official Redis advisory and subsequent distribution notices recommend immediate upgrade to the patched releases 7.0.12, 6.2.13, or 6.0.20. No other work-arounds are documented.
EPSS currently stands at 0.4932, equal to its recorded peak, indicating moderate but stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-29620
Vulnerability details
Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in…
more
all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.