CVE-2024-31449

NameCVE-2024-31449
DescriptionRedis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084805

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redis (PTS)bullseye5:6.0.16-1+deb11u2vulnerable
bullseye (security)5:6.0.16-1+deb11u3vulnerable
bookworm, bookworm (security)5:7.0.15-1~deb12u1vulnerable
sid, trixie5:7.0.15-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redissource(unstable)5:7.0.15-21084805

Notes

https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5
https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 (7.2.6)
Search for package or bug name: Reporting problems