Skip to content

Heap overflow issue with the Lua cjson and cmsgpack libraries used by Redis

High
yossigo published GHSA-p8x2-9v9q-c838 Jul 10, 2023

Package

redis-server (N/A)

Affected versions

All

Patched versions

7.0.12, 6.2.13, 6.0.20

Description

Impact

A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson and cmsgpack libraries, and result in heap corruption and potentially remote code execution.

The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users.

Patches

The problem is fixed in versions 7.0.12, 6.2.13, 6.0.20.

Workarounds

An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Credit

The problem was reported by Seiya Nakata and Yudai Fujiwara, security researchers from Ricerca Security, Inc.

For more information

If you have any questions or comments about this advisory:

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-24834

Weaknesses