CVE-2024-46981: 
Redis vulnerability analysis and mitigation

Redis, an open-source in-memory database, was found to contain a security vulnerability (CVE-2024-46981) that affects all versions with Lua scripting capabilities. The vulnerability was discovered and disclosed on January 6, 2025. An authenticated user could potentially exploit this vulnerability through specially crafted Lua scripts to manipulate the garbage collector, potentially leading to remote code execution (Redis Advisory).

The vulnerability is classified as High severity with a CVSS v3.1 base score of 7.0 (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H). The technical assessment indicates that while the attack vector is Local and requires High complexity, it can result in High impact across Confidentiality, Integrity, and Availability. The vulnerability is identified as CWE-416 (Use After Free) and specifically involves the manipulation of the garbage collector through Lua script commands (Redis Advisory, NVD).

The vulnerability can lead to remote code execution if successfully exploited, potentially compromising the security of the Redis server. This could allow attackers to execute arbitrary code, potentially leading to unauthorized access, data breaches, or system compromise (Redis Advisory).

The vulnerability has been patched in Redis versions 7.4.2, 7.2.7, and 6.2.17. For users unable to immediately update, a workaround is available by preventing users from executing Lua scripts through ACL restrictions on EVAL and EVALSHA commands. This can be implemented without patching the redis-server executable (Redis Advisory, Redis Release).

The vulnerability has received attention from major Linux distributions, with Debian and Red Hat releasing security updates to address the issue. Red Hat has classified this as an Important security update, indicating significant concern about its potential impact (Debian LTS, Red Hat).