Skip to main content

Multiple Vulnerabilities in Redis

Security updates fix two vulnerabilities that could lead to RCE and denial-of-service

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Security updates fix two vulnerabilities that could lead to RCE and denial-of-service


Affected platforms

The following platforms are known to be affected:

Threat details

Unsupported Versions

Redis versions prior to version 6.2.0 and prior to version 7.2.0 are not supported and do not receive security updates.


Introduction

Two security advisories have been released to address two vulnerabilities in Redis. Redis is a popular in-memory key-value database that persists on disk.

CVE-2024-46981 is a 'use after free' vulnerability with a CVSSv3 score of 7.0. If exploited, an authenticated attacker could use a specially crafted Lua script to achieve remote code execution.

CVE-2024-51741 is an 'improper input validation' vulnerability with a CVSSv3 score of 4.4. If exploited, an authenticated attacker with sufficient privileges may create a malformed access control list (ACL) selector which could lead to a denial-of-service condition.


Remediation advice

Affected organisations are encouraged to review Redis security advisory GHSA-39h2-x6c4-6w4c and Redis security advisory GHSA-prpq-rh5h-46g9, and apply any relevant updates as soon as practicable.


Remediation steps

Type Step
Patch

CVE-2024-46981

Update to Redis version:

  • 6.2.17 or higher
  • 7.2.7 or higher
  • 7.4.2 or higher

https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
Guidance

CVE-2024-46981

An additional workaround to mitigate CVE-2024-46981 without patching the redis-server executable is to prevent users from executing Lua scripts, using ACL to restrict EVAL and EVALSHA commands.


https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c
Patch

CVE-2024-51741

Update to Redis version:

  • 7.2.7 or higher
  • 7.4.2 or higher

https://github.com/redis/redis/security/advisories/GHSA-prpq-rh5h-46g9


Last edited: 7 January 2025 3:44 pm