CVE-2024-46981
Published: 06 January 2025
Description
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Security Summary
CVE-2024-46981 is a vulnerability in Redis, an open-source in-memory database that persists data on disk. It stems from a use-after-free error (CWE-416) that allows an authenticated user to execute a specially crafted Lua script, manipulating the garbage collector and potentially leading to remote code execution. The issue affects Redis versions prior to 7.4.2, 7.2.7, and 6.2.17, with a CVSS v3.1 base score of 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H).
An attacker with low-privilege authenticated access to the Redis instance can exploit this vulnerability by submitting a high-complexity Lua script via supported commands. Although the CVSS vector indicates a local attack vector, exploitation occurs remotely over the network once authentication is achieved, enabling high confidentiality, integrity, and availability impacts through potential remote code execution on the redis-server process.
Redis advisories and patch releases confirm fixes in versions 7.4.2, 7.2.7, and 6.2.17, available via GitHub release tags. A workaround without patching involves using Redis ACLs to restrict execution of EVAL and EVALSHA commands, preventing Lua script evaluation by users. Additional details appear in the Redis security advisory (GHSA-39h2-x6c4-6w4c) and related distributions like Debian LTS announcements.
Details
- CWE(s)