CVE-2024-46981
Published: 06 January 2025
Summary
CVE-2024-46981 is a high-severity Use After Free (CWE-416) vulnerability in Redis Redis. Its CVSS base score is 7.0 (High).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-7 (Least Functionality).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the use-after-free vulnerability in Redis garbage collector by applying vendor patches in versions 7.4.2, 7.2.7, and 6.2.17, preventing RCE via crafted Lua scripts.
Enforces least privilege using Redis ACL to restrict EVAL and EVALSHA commands to only necessary users, blocking low-privilege authenticated exploitation as recommended in the workaround.
Prohibits unnecessary system functionality by disabling or restricting Lua script execution capabilities, mitigating the attack surface for garbage collector manipulation.
NVD Description
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7,…
more
and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Deeper analysisAI
CVE-2024-46981 is a vulnerability in Redis, an open-source in-memory database that persists data on disk. It stems from a use-after-free error (CWE-416) that allows an authenticated user to execute a specially crafted Lua script, manipulating the garbage collector and potentially leading to remote code execution. The issue affects Redis versions prior to 7.4.2, 7.2.7, and 6.2.17, with a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H).
An attacker with low-privilege authenticated access to the Redis instance can exploit this vulnerability by submitting a high-complexity Lua script via supported commands. Although the CVSS vector indicates a local attack vector, exploitation occurs remotely over the network once authentication is achieved, enabling high confidentiality, integrity, and availability impacts through potential remote code execution on the redis-server process.
Redis advisories and patch releases confirm fixes in versions 7.4.2, 7.2.7, and 6.2.17, available via GitHub release tags. A workaround without patching involves using Redis ACLs to restrict execution of EVAL and EVALSHA commands, preventing Lua script evaluation by users. Additional details appear in the Redis security advisory (GHSA-39h2-x6c4-6w4c) and related distributions like Debian LTS announcements.
Details
- CWE(s)