CVE-2024-46981

Sažetak

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Reference

https://github.com/redis/redis/releases/tag/6.2.17
https://github.com/redis/redis/releases/tag/7.2.7
https://github.com/redis/redis/releases/tag/7.4.2
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c

CVSS

Base:	7.0
Impact:	5.9
Exploitability:	1.0

Pristup

Vektor	Složenost	Autentikacija
LOCAL	HIGH	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

06-01-2025 - 22:15

Objavljeno

06-01-2025 - 22:15