Vulnerability Details : CVE-2022-24834
Potential exploit
Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.
Vulnerability category: OverflowExecute code
Products affected by CVE-2022-24834
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
- cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
Threat overview for CVE-2022-24834
Top countries where our scanners detected CVE-2022-24834
Top open port discovered on systems with this issue
6379
IPs affected by CVE-2022-24834 55,994
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-24834!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-24834
0.20%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 58 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24834
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST | |
7.0
|
HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.0
|
5.9
|
GitHub, Inc. | |
8.8
|
HIGH | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
N/A
|
N/A
|
Oracle:CPUOct2023 |
CWE ids for CVE-2022-24834
-
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().Assigned by: security-advisories@github.com (Primary)
-
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.Assigned by: security-advisories@github.com (Primary)
References for CVE-2022-24834
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/
[SECURITY] Fedora 38 Update: redis-7.0.12-1.fc38 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20230814-0006/
CVE-2022-24834 Redis Vulnerability in NetApp Products | NetApp Product Security
-
https://github.com/redis/redis/security/advisories/GHSA-p8x2-9v9q-c838
Heap overflow issue with the Lua cjson and cmsgpack libraries used by Redis · Advisory · redis/redis · GitHubVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/
[SECURITY] Fedora 37 Update: redis-7.0.12-1.fc37 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
Jump to