FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

redis -- Multiple vulnerabilities

Affected packages
redis < 6.2.7
redis-devel < 7.0.0.20220428
redis62 < 6.2.7

Details

VuXML ID cc42db1c-c65f-11ec-ad96-0800270512f4
Discovery 2022-04-27
Entry 2022-04-27

Aviv Yahav reports:

CVE-2022-24735
By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis can inject Lua code that will execute with the (potentially higher) privileges of another Redis user.
CVE-2022-24736
An attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process.

References

CVE Name CVE-2022-24735
CVE Name CVE-2022-24736
URL https://groups.google.com/g/redis-db/c/7iWUlwtoDqU