CVE-2022-0543

Published: 18 February 2022

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

From the Ubuntu security team

Reginaldo Silva discovered that due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scriptss could possibly escape the Lua sandbox and execute arbitrary code on the host.

Priority

CVSS 3 base score: 10.0

Status

Package	Release	Status
redis Launchpad, Ubuntu, Debian	bionic	Not vulnerable (code not present)
	focal	Released (5:5.0.7-2ubuntu0.1)
	impish	Released (5:6.0.15-1ubuntu0.1)
	trusty	Not vulnerable (code not present)
	upstream	Released (6.0.16-1+deb11u2)
	xenial	Ignored (out of standard support)

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›