Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

rocky логотип

RLSA-2025:0693

Опубликовано: 17 мар. 2025
Источник: rocky
Оценка: Important

Описание

Important: redis security update

Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.

Security Fix(es):

  • redis: heap overflow in the lua cjson and cmsgpack libraries (CVE-2022-24834)

  • redis: possible bypass of Unix socket permissions on startup (CVE-2023-45145)

  • redis: Lua library commands may lead to stack overflow and RCE in Redis (CVE-2024-31449)

  • redis: Denial-of-service due to unbounded pattern matching in Redis (CVE-2024-31228)

  • redis: Redis' Lua library commands may lead to remote code execution (CVE-2024-46981)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Затронутые продукты

  • Rocky Linux 9

НаименованиеАрхитектураРелизRPM
redisx86_641.el9_5redis-6.2.17-1.el9_5.x86_64.rpm
redis-develi6861.el9_5redis-devel-6.2.17-1.el9_5.i686.rpm
redis-develx86_641.el9_5redis-devel-6.2.17-1.el9_5.x86_64.rpm
redis-docnoarch1.el9_5redis-doc-6.2.17-1.el9_5.noarch.rpm

Показывать по

Связанные CVE

CVE-2022-24834
CVE-2023-45145
CVE-2024-31228
CVE-2024-31449
CVE-2024-46981

Ссылки на источники

Исправления

Связанные уязвимости

oracle-oval логотип

ELSA-2025-0693

oracle-oval
10 месяцев назад

ELSA-2025-0693: redis security update (IMPORTANT)

oracle-oval логотип

ELSA-2025-0595

oracle-oval
10 месяцев назад

ELSA-2025-0595: redis:6 security update (IMPORTANT)

oracle-oval логотип

ELSA-2024-10869

oracle-oval
11 месяцев назад

ELSA-2024-10869: redis:7 security update (MODERATE)

ubuntu логотип

CVE-2022-24834

CVSS3: 7
ubuntu
больше 2 лет назад

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.

redhat логотип

CVE-2022-24834

CVSS3: 7
redhat
больше 2 лет назад

Redis is an in-memory database that persists on disk. A specially crafted Lua script executing in Redis can trigger a heap overflow in the cjson library, and result with heap corruption and potentially remote code execution. The problem exists in all versions of Redis with Lua scripting support, starting from 2.6, and affects only authenticated and authorized users. The problem is fixed in versions 7.0.12, 6.2.13, and 6.0.20.