CVE-2024-46981
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem is fixed in 7.4.2, 7.2.7, and 6.2.17. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
Analysis
Redis versions prior to 7.4.2, 7.2.7, and 6.2.17 contain a use-after-free vulnerability in the Lua scripting engine that allows authenticated users to achieve remote code execution. By manipulating the garbage collector through crafted Lua scripts, attackers can corrupt memory and execute arbitrary code on the Redis server.
Technical Context
Redis includes a Lua scripting engine (EVAL/EVALSHA commands) for server-side script execution. A vulnerability in how the Lua garbage collector interacts with Redis objects allows an authenticated user to craft a Lua script that triggers a use-after-free condition. By carefully controlling memory layout and garbage collection timing, an attacker can corrupt function pointers and redirect execution to attacker-controlled code.
Affected Products
['Redis < 7.4.2', 'Redis < 7.2.7', 'Redis < 6.2.17']
Remediation
Update Redis to 7.4.2, 7.2.7, or 6.2.17. Disable Lua scripting if not required (rename EVAL/EVALSHA commands). Require strong authentication with AUTH and ACLs. Restrict Redis network exposure to trusted application servers only. Monitor for unusual EVAL command patterns.
Priority Score
Vendor Status
Share
External POC / Exploit Code
Leaving vuln.today