CVE-2022-0543

critical

Description

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

References

https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce

https://www.debian.org/security/2022/dsa-5081

https://security.netapp.com/advisory/ntap-20220331-0004/

https://lists.debian.org/debian-security-announce/2022/msg00048.html

https://bugs.debian.org/1005787

https://securityaffairs.com/164968/malware/p2pinfect-delivers-miners-ransomware-on-redis.html

https://www.cadosecurity.com/p2pinfect-new-variant-targets-mips-devices/

https://www.cadosecurity.com/blog/p2pinfect-new-variant-targets-mips-devices

https://www.tenable.com/cyber-exposure/tenable-2022-threat-landscape-report

http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html

Details

Source: Mitre, NVD

Published: 2022-02-18

Updated: 2025-04-02

Known Exploited Vulnerability (KEV)

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H