CVE-2024-31449

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9
https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5

Configurations

No configuration.

History

10 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Redis es una base de datos en memoria de código abierto que persiste en el disco. Un usuario autenticado puede usar un script Lua especialmente manipulado para provocar un desbordamiento del búfer de pila en la librería de bits, lo que puede provocar la ejecución remota de código. El problema existe en todas las versiones de Redis con scripts Lua. Este problema se ha solucionado en las versiones 6.2.16, 7.2.6 y 7.4.1 de Redis. Se recomienda a los usuarios que actualicen la versión. No existen workarounds conocidas para esta vulnerabilidad.

07 Oct 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-07 20:15

Updated : 2024-10-10 12:57

NVD link : CVE-2024-31449

Mitre link : CVE-2024-31449

CVE.ORG link : CVE-2024-31449

JSON object : View

Products Affected

No product.

CWE

CWE-121

Stack-based Buffer Overflow

CWE-20

Improper Input Validation

7.0 /10