CVE-2024-31449

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9
https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-07 20:15

Updated : 2024-10-10 12:57

NVD link : CVE-2024-31449

Mitre link : CVE-2024-31449

CVE.ORG link : CVE-2024-31449

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

CWE-121

Stack-based Buffer Overflow

7.0 /10