Cyber Resilience

CVE-2022-24834

High

Published: 13 July 2023

Published
13 July 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.0 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4932 97.9th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24834 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).

Operationally, ranked in the top 2.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Redis is an in-memory database with optional Lua scripting support. CVE-2022-24834 is a heap overflow in the bundled cjson library that can be triggered by a specially crafted Lua script, resulting in heap corruption and potential remote code execution. The flaw affects every Redis release from 2.6 onward that includes Lua scripting and is reachable only by authenticated, authorized users.

An attacker who already possesses a valid Redis account can submit the malicious script and achieve arbitrary code execution on the server. The CVSS vector (AV:L/AC:H/PR:L) indicates the attack requires local access or an existing authenticated session and involves non-trivial complexity.

The official Redis advisory and subsequent distribution notices recommend immediate upgrade to the patched releases 7.0.12, 6.2.13, or 6.0.20. No other work-arounds are documented.

EPSS currently stands at 0.4932, equal to its recorded peak, indicating moderate but stable exploitation interest since disclosure.

EU & UK References

Vulnerability details

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in…

more

all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redis
redis
2.6.0 — 6.0.20 · 6.2.0 — 6.2.13 · 7.0.0 — 7.0.12
fedoraproject
fedora
37, 38

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References