CVE-2022-24735: 
Redis vulnerability analysis and mitigation

CVE-2022-24735 affects Redis versions prior to 7.0.0 and 6.2.7. The vulnerability allows an attacker with access to Redis to inject Lua code that will execute with the potentially higher privileges of another Redis user. The issue was discovered and reported by Aviv Yahav and was publicly disclosed on April 27, 2022 (Redis Release).

The vulnerability exists in the Lua script execution environment of Redis. The environment had measures to prevent scripts from creating persistent side effects that could affect later script executions. However, these security measures had weaknesses that became exploitable after Redis 6.0 introduced ACLs (Access Control Lists). The vulnerability allows less privileged users to inject Lua code that executes with elevated privileges when a privileged user runs a Lua script (GitHub Advisory).

Successful exploitation of this vulnerability could lead to privilege escalation, allowing attackers to execute code with higher privileges than they should have access to. This could result in unauthorized access to data, modification of system settings, or other malicious actions performed with elevated permissions (NetApp Advisory).

The vulnerability is fixed in Redis versions 7.0.0 and 6.2.7. If upgrading is not immediately possible, a workaround is available by blocking access to SCRIPT LOAD and EVAL commands using ACL rules if Lua scripting is not being used (Redis Release).

The vulnerability was treated as a significant security issue, with multiple vendors and distributions quickly releasing patches and advisories, including Red Hat, Fedora, and NetApp. The fix involved making substantial changes to how Redis handles Lua tables and global functions, which caused some compatibility issues that required applications to update their Lua scripts (GitHub PR).