Vulnerabilities > CVE-2022-0543 - Missing Authorization vulnerability in Redis

CVSS 10.0 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

redis

CWE-862

critical

NVD

Published: 2022-02-18

Updated: 2023-09-29

Summary

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Redis Redis Redis -	1
OS	Canonical Canonical Ubuntu Linux 20.04 Canonical Ubuntu Linux 21.10	2
OS	Debian Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0	3

Common Weakness Enumeration (CWE)

CWE-862 - Missing Authorization

References

https://bugs.debian.org/1005787
https://www.debian.org/security/2022/dsa-5081
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
https://lists.debian.org/debian-security-announce/2022/msg00048.html
https://security.netapp.com/advisory/ntap-20220331-0004/
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Related news

References