CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2022-33105 – Gentoo Linux Security Advisory 202209-17
https://notcve.org/view.php?id=CVE-2022-33105
22 Jun 2022 — Redis v7.0 was discovered to contain a memory leak via the component streamGetEdgeID. Se ha detectado que Redis versión v7.0, contiene una pérdida de memoria por medio del componente streamGetEdgeID Multiple vulnerabilities have been found in Redis, the worst of which could result in arbitrary code execution. Versions less than 7.0.5 are affected. • https://github.com/redis/redis/commit/4a7a4e42db8ff757cdf3f4a824f66426036034ef • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 1CVE-2022-24736 – A Malformed Lua script can crash Redis
https://notcve.org/view.php?id=CVE-2022-24736
27 Apr 2022 — Redis is an in-memory database that persists on disk. Prior to versions 6.2.7 and 7.0.0, an attacker attempting to load a specially crafted Lua script can cause NULL pointer dereference which will result with a crash of the redis-server process. The problem is fixed in Redis versions 7.0.0 and 6.2.7. An additional workaround to mitigate this problem without patching the redis-server executable, if Lua scripting is not being used, is to block access to `SCRIPT LOAD` and `EVAL` commands using ACL rules. Redis... • https://github.com/redis/redis/pull/10651 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 1%CPEs: 12EXPL: 1CVE-2022-24735 – Lua scripts can be manipulated to overcome ACL rules in Redis
https://notcve.org/view.php?id=CVE-2022-24735
27 Apr 2022 — Redis is an in-memory database that persists on disk. By exploiting weaknesses in the Lua script execution environment, an attacker with access to Redis prior to version 7.0.0 or 6.2.7 can inject Lua code that will execute with the (potentially higher) privileges of another Redis user. The Lua script execution environment in Redis provides some measures that prevent a script from creating side effects that persist and can affect the execution of the same, or different script, at a later time. Several weakne... • https://github.com/redis/redis/pull/10651 • CWE-94: Improper Control of Generation of Code ('Code Injection') •