Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN018 _____________________________________________________________________ DATE : 20/01/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running redis-server versions prior to 6.2.X, 7.2.X, 7.4.X. ===================================================================== https://github.com/redis/redis/security/advisories/GHSA-39h2-x6c4-6w4c _____________________________________________________________________ Lua library commands may lead to remote code execution High YaacovHazan published GHSA-39h2-x6c4-6w4c Jan 6, 2025 Package redis-server Affected versions All Patched versions 6.2.X, 7.2.X, 7.4.X Description Impact An authenticated user may use a specially crafted Lua script to manipulate the garbage collector and potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. Patches The problem is fixed in Redis 6.2.x, 7.2.x and 7.4.x. Workarounds An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. Credit The problem was reported by p33zy working with Trend Micro Zero Day Initiative Severity High 7.0/ 10 CVSS v3 base metrics Attack vector Local Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2024-46981 Weaknesses CWE-416 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================