What is CVE-2022-0543?

CVE-2022-0543 is a vulnerability in Debian Redis. Published 2022-02-18.

Is CVE-2022-0543 known to be exploited?

Yes. CVE-2022-0543 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-28), indicating it is being actively exploited. 66 public proof-of-concept repositories are indexed.

Vulnerability in Debian Redis

CVE-2022-0543

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.

EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.

Affected products

Debian Redis — versions n/a

CISA KEV (Known Exploited Vulnerabilities)

This CVE is on the CISA KEV catalog, added on 2022-03-28. CISA KEV inclusion means CISA has confirmed in-the-wild exploitation; US federal agencies are required to remediate within a published due date.

BOD 22-01 due date: 2022-04-18.

Required action: Apply updates per vendor instructions.

Public proof-of-concept exploits

References

bugs.debian.org/1005787 (x_refsource_MISC)
www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce (x_refsource_MISC)
[debian-security-announce] 20220218 [SECURITY] [DSA 5081-1] redis security update (mailing-list, x_refsource_MLIST)
DSA-5081 (vendor-advisory, x_refsource_DEBIAN)
security.netapp.com/advisory/ntap-20220331-0004/ (x_refsource_CONFIRM)
packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html (x_refsource_MISC)

Frequently asked questions

What is CVE-2022-0543?: CVE-2022-0543 is a vulnerability in Debian Redis. Published 2022-02-18.
Is CVE-2022-0543 known to be exploited?: Yes. CVE-2022-0543 is listed in the CISA Known Exploited Vulnerabilities catalog (added 2022-03-28), indicating it is being actively exploited. 66 public proof-of-concept repositories are indexed.