| Vulnerability Name: | CVE-2015-4335 (CCN-103645) | ||||||||||||||||||||||||||||||||||||||||
| Assigned: | 2015-06-04 | ||||||||||||||||||||||||||||||||||||||||
| Published: | 2015-06-04 | ||||||||||||||||||||||||||||||||||||||||
| Updated: | 2018-08-13 | ||||||||||||||||||||||||||||||||||||||||
| Summary: | Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command. | ||||||||||||||||||||||||||||||||||||||||
| CVSS v3 Severity: | 7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
| ||||||||||||||||||||||||||||||||||||||||
| CVSS v2 Severity: | 10.0 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C) 7.4 High (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Type: | CWE-17 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerability Consequences: | Bypass Security | ||||||||||||||||||||||||||||||||||||||||
| References: | Source: MISC Type: Exploit, Third Party Advisory http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ Source: MITRE Type: CNA CVE-2015-4335 Source: FEDORA Type: Third Party Advisory FEDORA-2015-9488 Source: FEDORA Type: Third Party Advisory FEDORA-2015-9498 Source: SUSE Type: Third Party Advisory openSUSE-SU-2015:1687 Source: CCN Type: Redis Web site Redis Source: REDHAT Type: Third Party Advisory RHSA-2015:1676 Source: CCN Type: oss-security Mailing List, Thu, 4 Jun 2015 15:46:18 +0200 CVE Request: redis Lua sandbox escape and arbitrary code execution Source: CCN Type: oss-security Mailing List, Fri, 5 Jun 2015 07:12:00 -0400 (EDT) Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Source: DEBIAN Type: Third Party Advisory DSA-3279 Source: CCN Type: IBM Security Bulletin T1024538 (PowerKVM) Vulnerabilities in redis affect PowerKVM (CVE-2015-4335, CVE-2013-7458) Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20150604 Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20150604 CVE Request: redis Lua sandbox escape and arbitrary code execution Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20150605 Re: CVE Request: redis Lua sandbox escape and arbitrary code execution Source: BID Type: Third Party Advisory, VDB Entry 75034 Source: CCN Type: BID-75034 Redis CVE-2015-4335 EVAL Lua Sandbox Security Bypass Vulnerability Source: XF Type: UNKNOWN redis-lua-cve20154335-sec-bypass(103645) Source: CONFIRM Type: Third Party Advisory https://github.com/antirez/redis/commit/fdf9d455098f54f7666c702ae464e6ea21e25411 Source: CONFIRM Type: UNKNOWN https://groups.google.com/forum/#!msg/redis-db/4Y6OqK8gEyk/Dg-5cejl-eUJ Source: GENTOO Type: Third Party Advisory GLSA-201702-16 Source: CCN Type: WhiteSource Vulnerability Database CVE-2015-4335 | ||||||||||||||||||||||||||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||||||||||||||||||||||||||
| Oval Definitions | |||||||||||||||||||||||||||||||||||||||||
| |||||||||||||||||||||||||||||||||||||||||
| BACK | |||||||||||||||||||||||||||||||||||||||||