Multiple Vulnerabilities in Redis
Security updates fix two vulnerabilities that could lead to RCE and denial-of-service
Summary
Security updates fix two vulnerabilities that could lead to RCE and denial-of-service
Affected platforms
The following platforms are known to be affected:
Threat details
Unsupported Versions
Redis versions prior to version 6.2.0 and prior to version 7.2.0 are not supported and do not receive security updates.
Introduction
Two security advisories have been released to address two vulnerabilities in Redis. Redis is a popular in-memory key-value database that persists on disk.
CVE-2024-46981 is a 'use after free' vulnerability with a CVSSv3 score of 7.0. If exploited, an authenticated attacker could use a specially crafted Lua script to achieve remote code execution.
CVE-2024-51741 is an 'improper input validation' vulnerability with a CVSSv3 score of 4.4. If exploited, an authenticated attacker with sufficient privileges may create a malformed access control list (ACL) selector which could lead to a denial-of-service condition.
Remediation advice
Affected organisations are encouraged to review Redis security advisory GHSA-39h2-x6c4-6w4c and Redis security advisory GHSA-prpq-rh5h-46g9, and apply any relevant updates as soon as practicable.
Remediation steps
Type | Step |
---|---|
Patch |
CVE-2024-46981 Update to Redis version:
https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c |
Guidance |
CVE-2024-46981 An additional workaround to mitigate CVE-2024-46981 without patching the redis-server executable is to prevent users from executing Lua scripts, using ACL to restrict EVAL and EVALSHA commands. https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c |
Patch |
CVE-2024-51741 Update to Redis version:
https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9 |
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 7 January 2025 3:44 pm