CVE-2022-0543
CVE-2022-0543
In short
Redis, a popular database, has a critical flaw in its Debian packaging that allows attackers to bypass its Lua script sandbox and execute arbitrary code on the server.
Technical detail
A Lua sandbox escape vulnerability in Redis (Debian packages) allows remote code execution by bypassing the intended restrictions on Lua scripts. The vulnerability stems from a packaging configuration issue that fails to properly isolate the Lua interpreter, enabling attackers to break out of the sandbox and execute arbitrary system commands on the affected host.
Summary generated and translated by AI from the official description.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Debian · redispublic PoCs found — 7
githubgithub.com/0x7eTeam/CVE-2022-0543★ 96githubgithub.com/z92g/CVE-2022-0543★ 24githubgithub.com/SiennaSkies/redisHack★ 4githubgithub.com/OpsCipher/CVE-2022-0543★ 1githubgithub.com/netw0rk7/CVE-2022-0543-Home-Lab★ 0githubgithub.com/K3ysTr0K3R/CVE-2022-0543★ 0cve_referencepacketstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.htmlhttps://bugs.debian.org/1005787https://lists.debian.org/debian-security-announce/2022/msg00048.htmlhttps://security.netapp.com/advisory/ntap-20220331-0004/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-0543https://www.debian.org/security/2022/dsa-5081https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce