CVE-2022-0543
Publication date 18 February 2022
Last updated 25 August 2025
Ubuntu priority
Description
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.
From the Ubuntu Security Team
Reginaldo Silva discovered that due to a packaging issue, a remote attacker with the ability to execute arbitrary Lua scriptss could possibly escape the Lua sandbox and execute arbitrary code on the host.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| redis | ||
| 20.04 LTS focal |
Fixed 5:5.0.7-2ubuntu0.1
|
|
| 18.04 LTS bionic |
Not affected
|
|
| 16.04 LTS xenial |
Not affected
|
|
| 14.04 LTS trusty |
Not affected
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
10.0 · Critical
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-5316-1
- Redis vulnerability
- 8 March 2022