PublicDateAtUSN: 2022-02-18 20:15:00 UTC
Candidate: CVE-2022-0543
PublicDate: 2022-02-18 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0543
 https://ubuntu.com/security/notices/USN-5316-1
Description:
 It was discovered, that redis, a persistent key-value database, due to a
 packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which
 could result in remote code execution.
Ubuntu-Description:
 Reginaldo Silva discovered that due to a packaging issue, a remote attacker
 with the ability to execute arbitrary Lua scriptss could possibly escape
 the Lua sandbox and execute arbitrary code on the host.
Notes:
Mitigation:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005787
Priority: medium
Discovered-by: Reginaldo Silva
Assigned-to: amurray
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H [10.0 CRITICAL]


Patches_redis:
upstream_redis: released (6.0.16-1+deb11u2)
trusty/esm_redis: not-affected (code not present)
trusty_redis: ignored (out of standard support)
xenial_redis: ignored (out of standard support)
bionic_redis: not-affected (code not present)
focal_redis: released (5:5.0.7-2ubuntu0.1)
impish_redis: released (5:6.0.15-1ubuntu0.1)
devel_redis: released (6.0.16-1ubuntu1)