CVE-2022-24736
Description
Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to SCRIPT LOAD and EVAL commands using ACL rules.
Risk Information
Base Score
5.5
MODERATE
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
Exploitation Probability
1.725
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2022-24736 are fixed in Redis 6.2.7 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0 | Windows |
| (RHSA-2022:8096) redis security and bug fix update redis-6.2.7-1.el9.x86_64.rpm | Linux |
| (RHSA-2022:8096) redis security and bug fix update redis-debugsource-6.2.7-1.el9.i686.rpm | Linux |
| (RHSA-2022:8096) redis security and bug fix update redis-debugsource-6.2.7-1.el9.x86_64.rpm | Linux |
| (RHSA-2022:8096) redis security and bug fix update redis-devel-6.2.7-1.el9.i686.rpm | Linux |
| (RHSA-2022:8096) redis security and bug fix update redis-devel-6.2.7-1.el9.x86_64.rpm | Linux |
| (RHSA-2022:8096) redis security and bug fix update redis-doc-6.2.7-1.el9.noarch.rpm | Linux |
| redis security and bug fix update (RLSA-2022:8096) redis-6.2.7-1.el9.x86_64.rpm | Linux |
| redis security and bug fix update (RLSA-2022:8096) redis-doc-6.2.7-1.el9.noarch.rpm | Linux |
| redis security and bug fix update (RLSA-2022:8096) redis-devel-6.2.7-1.el9.i686.rpm | Linux |
| redis security and bug fix update (RLSA-2022:8096) redis-devel-6.2.7-1.el9.x86_64.rpm | Linux |
| Lemon update (ELSA-2023-3840) lemon-3.26.0-18.0.1.el8_8.x86_64.rpm | Linux |
| Sqlite update (ELSA-2023-3840) sqlite-3.26.0-18.0.1.el8_8.i686.rpm | Linux |
| Sqlite update (ELSA-2023-3840) sqlite-3.26.0-18.0.1.el8_8.x86_64.rpm | Linux |
| Sqlite-devel update (ELSA-2023-3840) sqlite-devel-3.26.0-18.0.1.el8_8.i686.rpm | Linux |
| Sqlite-devel update (ELSA-2023-3840) sqlite-devel-3.26.0-18.0.1.el8_8.x86_64.rpm | Linux |
| Sqlite-doc update (ELSA-2023-3840) sqlite-doc-3.26.0-18.0.1.el8_8.noarch.rpm | Linux |
| Sqlite-libs update (ELSA-2023-3840) sqlite-libs-3.26.0-18.0.1.el8_8.i686.rpm | Linux |
| Sqlite-libs update (ELSA-2023-3840) sqlite-libs-3.26.0-18.0.1.el8_8.x86_64.rpm | Linux |
| (RHSA-2022:7541)Low: security, bug fix, and enhancement update redis-debuginfo-6.2.7-1.module+el8.7.0+15197+cc495aeb.x86_64.rpm | Linux |
| sqlite update (TU-CESAS-0007) sqlite-doc-3.26.0-18.el8.noarch.rpm | Linux |
| python3 update (TU-CESAS-0007) python3-rpm-4.16.1.3-26.el9.x86_64.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-3.26.0-18.el8.i686.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-3.26.0-18.el8.x86_64.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-libs-3.26.0-18.el8.i686.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-libs-3.26.0-18.el8.x86_64.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-libs-3.34.1-7.el9.i686.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-libs-3.34.1-7.el9.x86_64.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-devel-3.26.0-18.el8.i686.rpm | Linux |
| sqlite update (TU-CESAS-0008) sqlite-devel-3.26.0-18.el8.x86_64.rpm | Linux |
| libreoffice update (TU-CESAS-0008) libreoffice-opensymbol-fonts-6.4.7.2-15.el8.noarch.rpm | Linux |
| libreoffice update (TU-CESAS-0008) libreoffice-opensymbol-fonts-7.1.8.1-11.el9.noarch.rpm | Linux |
| redis:6 security, bug fix, and enhancement update (RLSA-2022:7541) redis-6.2.7-1.module+el8.7.0+1105+8815ce78.x86_64.rpm | Linux |
| redis:6 security, bug fix, and enhancement update (RLSA-2022:7541) redis-doc-6.2.7-1.module+el8.7.0+1105+8815ce78.noarch.rpm | Linux |
| redis:6 security, bug fix, and enhancement update (RLSA-2022:7541) redis-devel-6.2.7-1.module+el8.7.0+1105+8815ce78.x86_64.rpm | Linux |
| Redis update (ELSA-2022-7541) redis-6.2.7-1.module+el8.7.0+20764+cc495aeb.x86_64.rpm | Linux |
| Redis-devel update (ELSA-2022-7541) redis-devel-6.2.7-1.module+el8.7.0+20764+cc495aeb.x86_64.rpm | Linux |
| Redis-doc update (ELSA-2022-7541) redis-doc-6.2.7-1.module+el8.7.0+20764+cc495aeb.noarch.rpm | Linux |
| redis6 Security Update (ALAS2023-2023-064) redis6-6.2.7-1.amzn2023.0.3.x86_64.rpm | Linux |
| redis6 Security Update (ALAS2023-2023-064) redis6-devel-6.2.7-1.amzn2023.0.3.x86_64.rpm | Linux |
| redis6 Security Update (ALAS2023-2023-064) redis6-doc-6.2.7-1.amzn2023.0.3.noarch.rpm | Linux |
| CVE-2022-24736 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234