Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2022-0543 |
CWE-ID | CWE-94 |
Exploitation vector | Network |
Public exploit | Vulnerability #1 is being exploited in the wild. |
Vulnerable software |
redis (Debian package) Operating systems & Components / Operating system package or component |
Vendor | Debian |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
EUVDB-ID: #VU60741
Risk: Medium
CVSSv4.0: 9.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Green]
CVE-ID: CVE-2022-0543
CWE-ID:
CWE-94 - Improper Control of Generation of Code ('Code Injection')
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper input validation, related to Linux Debian specific Lua sandbox escape. A remote attacker with ability to control data stored in the Redis database can inject and execute arbitrary code on the system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsredis (Debian package): 5:5.0.3-4+deb10u1 - 5.0.3-4+deb10u2
CPE2.3https://bugs.debian.org/1005787
https://www.debian.org/security/2022/dsa-5081
https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
https://lists.debian.org/debian-security-announce/2022/msg00048.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
Yes. This vulnerability is being exploited in the wild.