Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2015-4335 — Redis EVAL Lua Sandbox Escape

Disclosure Date: June 09, 2015
CVE-2015-4335
Exploited in the Wild
Reported by hrbrmstr
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Vulnerable in default configuration
Technical Analysis

Ben Murphy’s dissection — https://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/ — is pretty thorough.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • debian,
  • redislabs

Products

  • debian linux 8.0,
  • debian linux 9.0,
  • redis,
  • redis 3.0.0,
  • redis 3.0.1

Exploited in the Wild

Reported by:
Technical Analysis