CVE-2024-31449

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-31449
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31449.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-31449
Aliases
Downstream
Related
Published
2024-10-07T19:51:08.775Z
Modified
2026-03-20T12:36:07.461256Z
Severity
  • 7.0 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Lua library commands may lead to stack overflow and RCE in Redis
Details

Redis is an open source, in-memory database that persists on disk. An authenticated user may use a specially crafted Lua script to trigger a stack buffer overflow in the bit library, which may potentially lead to remote code execution. The problem exists in all versions of Redis with Lua scripting. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/31xxx/CVE-2024-31449.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-121",
        "CWE-20"
    ]
}
References

Affected packages

Git / github.com/redis/redis

Affected ranges

Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
5eec376c2f56dbf617cc8bc19476fd5431cd664d
Fixed
ad950e4c32d9ebff932f157cfad135bde4fadce4
Database specific 
{
    "versions": [
        {
            "introduced": "2.6"
        },
        {
            "fixed": "6.2.16"
        }
    ]
}
Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
d375595d5e3ae2e5c29e6c00a2dc3d60578fd9fc
Fixed
ae6a2aa95cd094b032e7a69b8b59f64dd1ed085f
Database specific 
{
    "versions": [
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.2.6"
        }
    ]
}
Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
74b289a0e12f9f65a6daeec6a66cadc76792f644
Database specific 
{
    "versions": [
        {
            "introduced": "7.3.0"
        },
        {
            "fixed": "7.4.1"
        }
    ]
}

Affected versions

1.*
1.3.6
2.*
2.2-alpha0
2.2-alpha1
2.2-alpha2
2.2-alpha3
2.2-alpha4
2.2-alpha5
2.2-alpha6
2.2.0-rc1
2.3-alpha0
3.*
3.0-alpha0
7.*
7.4-rc1
7.4-rc2
7.4.0
v1.*
v1.3.10
v1.3.11
v1.3.12
v1.3.7
v1.3.8
v1.3.9
v2.*
v2.0.0-rc1
v2.1.1-watch
Other
vm-playpen
with-deprecated-diskstore

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-31449.json"