Vulnerability Details : CVE-2022-0543
Public exploit exists!
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Vulnerability category: Execute code
Products affected by CVE-2022-0543
- cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
CVE-2022-0543 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
Debian-specific Redis Server Lua Sandbox Escape Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
Redis is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2022-0543
Added on
2022-03-28
Action due date
2022-04-18
Exploit prediction scoring system (EPSS) score for CVE-2022-0543
97.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-0543
-
Redis Lua Sandbox Escape
Disclosure Date: 2022-02-18First seen: 2022-12-23exploit/linux/redis/redis_debian_sandbox_escapeThis module exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing att
CVSS scores for CVE-2022-0543
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
10.0
|
HIGH | AV:N/AC:L/Au:N/C:C/I:C/A:C |
10.0
|
10.0
|
NIST | |
10.0
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
3.9
|
6.0
|
NIST |
CWE ids for CVE-2022-0543
-
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-0543
-
https://www.debian.org/security/2022/dsa-5081
Debian -- Page not foundMailing List;Third Party Advisory
-
https://bugs.debian.org/1005787
#1005787 - redis: CVE-2022-0543 - Debian Bug report logsIssue Tracking;Patch;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220331-0004/
CVE-2022-0543 Redis Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
Third Party Advisory
-
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html
Redis Lua Sandbox Escape ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://lists.debian.org/debian-security-announce/2022/msg00048.html
[SECURITY] [DSA 5081-1] redis security updateMailing List;Third Party Advisory
Jump to