CVE-2024-31449 HIGH

CVE-2024-31449: Lua library commands may lead to stack overflow and RCE in Redis

Vendor Redis

Product redis

Weakness CWE-20 · Input validation

Published October 7, 2024

Last update November 19, 2024

View on NVD All CVEs

CVSS base score

7.0/10

Attack vector Local

Attack complexity High

Privileges required Low

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

October 7, 2024 CVE published

November 19, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-31449 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

Identifiers

CVE CVE-2024-31449

CWE CWE-20

CVSS 7.0 / HIGH

Affected versions

Vendor Redis

Product redis

Affected >= 2.6, < 6.2.16

Vendor Redis

Product redis

Affected >= 7.0.0, < 7.2.6

Vendor Redis

Product redis

Affected >= 7.3.0, < 7.4.1

CVE-2024-31449: Lua library commands may lead to stack overflow and RCE in Redis

01Description

02Disclosure timeline

03References

04Related CVE