CVE-2024-31449

NameCVE-2024-31449
DescriptionRedis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084805

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redict (PTS)sid, trixie7.3.1+ds-1fixed
redis (PTS)jessie, jessie (lts)2:2.8.17-1+deb8u12fixed
stretch (security)3:3.2.6-3+deb9u9vulnerable
stretch (lts), stretch3:3.2.6-3+deb9u12vulnerable
buster (security), buster, buster (lts)5:5.0.14-1+deb10u5vulnerable
bullseye5:6.0.16-1+deb11u2vulnerable
bullseye (security)5:6.0.16-1+deb11u3vulnerable
bookworm (security), bookworm5:7.0.15-1~deb12u1vulnerable
sid, trixie5:7.0.15-2fixed
valkey (PTS)sid, trixie8.0.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redictsource(unstable)7.3.1+ds-1
redissourcejessie(not affected)
redissource(unstable)5:7.0.15-21084805
valkeysource(unstable)8.0.1+dfsg1-1

Notes

https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5
https://github.com/redis/redis/commit/fe8de4313f85e0f8af2eff1f78b52cfe56fb4c71 (7.2.6)
Fixed by: https://github.com/redis/redis/commit/1f7c148be2cbacf7d50aa461c58b871e87cc5ed9 (6.2)
https://github.com/valkey-io/valkey/pull/1114
https://github.com/valkey-io/valkey/commit/4fbab5740bfef66918d6c2950dd2b3b4e07815a2 (8.0.1)
[jessie] - redis <not-affected> (Lua bit library added in >= 2.8.18)
Search for package or bug name: Reporting problems