CVE-2022-24735 is a code injection vulnerability affecting Redis, an in-memory database widely used for caching, message brokering, and real-time analytics. The vulnerability arises from weaknesses in Redis's Lua script execution environment prior to versions 7.0.0 and 6.2.7. Redis supports executing Lua scripts to extend its functionality, and with the introduction of Access Control Lists (ACLs) in Redis 6.0, different users can have different privilege levels. However, the Lua sandboxing mechanisms were originally designed without considering user privilege separation, leading to exploitable gaps. Specifically, a less privileged user can inject malicious Lua code that persists and executes later with the privileges of a more privileged user when that user runs a Lua script. This occurs because the sandboxing does not fully isolate script side effects or prevent code injection across different user contexts. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that the system improperly controls how code is generated and executed, allowing injection of unauthorized code. The issue can be mitigated by upgrading Redis to versions 7.0.0 or 6.2.7 and later, where the Lua environment and ACL enforcement have been improved. Alternatively, if Lua scripting is not required, administrators can block the SCRIPT LOAD and EVAL commands via ACL rules to prevent script injection without patching the Redis server executable. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk in multi-user Redis deployments where users have different privilege levels and Lua scripting is enabled.

For European organizations, this vulnerability can lead to unauthorized code execution within Redis instances, potentially compromising the confidentiality, integrity, and availability of data managed by Redis. Attackers with low privileges could escalate their access by injecting Lua scripts that execute with higher privileges, enabling data manipulation, unauthorized data access, or disruption of Redis services. This could impact critical applications relying on Redis for caching or session management, leading to service outages or data breaches. Given Redis's widespread use in financial services, telecommunications, and public sector IT infrastructure across Europe, exploitation could disrupt business operations and erode trust. The persistence of injected code means that attacks could be stealthy and long-lasting, complicating detection and remediation. Additionally, if Redis is used in microservices architectures or as part of cloud-native deployments, the vulnerability could facilitate lateral movement within networks, increasing the attack surface. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value sectors.

1. Upgrade Redis installations to version 7.0.0 or 6.2.7 or later as soon as possible to apply the official fix addressing the Lua sandboxing and ACL enforcement issues. 2. If upgrading is not immediately feasible and Lua scripting is not required, implement ACL rules to explicitly block the SCRIPT LOAD and EVAL commands, preventing script injection vectors. 3. Audit existing Redis ACL configurations to ensure minimal privileges are granted, following the principle of least privilege, and restrict user capabilities related to scripting. 4. Monitor Redis logs and command usage for unusual SCRIPT LOAD or EVAL activity that could indicate attempted exploitation. 5. For environments using Redis in multi-tenant or shared contexts, consider isolating Redis instances per user or service to reduce cross-user privilege escalation risks. 6. Incorporate Redis security best practices such as network segmentation, use of authentication, and encryption in transit to reduce exposure. 7. Conduct regular security assessments and penetration testing focused on Redis deployments to identify and remediate potential misconfigurations or vulnerabilities.