redis/docker-library-redis

CVE-2022-0543 in docker image

moon2263 opened this issue · 2 comments

moon2263 commented

When I scanned the redis:7.0.11-alpine image by grype, the output is like below:

{
   "vulnerability": {
    "id": "CVE-2022-0543",
    "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-0543",
    "namespace": "nvd:cpe",
    "severity": "Critical",
    "urls": [
     "http://packetstormsecurity.com/files/166885/Redis-Lua-Sandbox-Escape.html",
     "https://bugs.debian.org/1005787",
     "https://lists.debian.org/debian-security-announce/2022/msg00048.html",
     "https://security.netapp.com/advisory/ntap-20220331-0004/",
     "https://www.debian.org/security/2022/dsa-5081",
     "https://www.ubercomp.com/posts/2022-01-20_redis_on_debian_rce"
    ],
    "description": "It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific) Lua sandbox escape, which could result in remote code execution.",
    "cvss": [
     {
      "version": "2.0",
      "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
      "metrics": {
       "baseScore": 10,
       "exploitabilityScore": 10,
       "impactScore": 10
      },
      "vendorMetadata": {}
     },
     {
      "version": "3.1",
      "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
      "metrics": {
       "baseScore": 10,
       "exploitabilityScore": 3.9,
       "impactScore": 6
      },
      "vendorMetadata": {}
     }
    ],
    "fix": {
     "versions": [],
     "state": "unknown"
    },
    "advisories": []
   },
   "relatedVulnerabilities": [],
   "matchDetails": [
    {
     "type": "cpe-match",
     "matcher": "stock-matcher",
     "searchedBy": {
      "namespace": "nvd:cpe",
      "cpes": [
       "cpe:2.3:a:redis:redis:7.0.11:*:*:*:*:*:*:*"
      ]
     },
     "found": {
      "vulnerabilityID": "CVE-2022-0543",
      "versionConstraint": "none (unknown)",
      "cpes": [
       "cpe:2.3:a:redis:redis:-:*:*:*:*:*:*:*"
      ]
     }
    }
   ],
   "artifact": {
    "name": "redis",
    "version": "7.0.11",
    "type": "binary",
    "locations": [
     {
      "path": "/usr/local/bin/redis-server",
      "layerID": "sha256:7936e9b38dabf03a21001015fa0c87fe0a895c24fbb25acbb305a5a03ef54594"
     }
    ],
    "language": "",
    "licenses": [],
    "cpes": [
     "cpe:2.3:a:redislabs:redis:7.0.11:*:*:*:*:*:*:*",
     "cpe:2.3:a:redis:redis:7.0.11:*:*:*:*:*:*:*"
    ],
    "purl": "pkg:generic/redis@7.0.11",
    "upstreams": []
   }
  }

The results said redis-server binary is affected by cve-2022-0543. But I couldn't find patched version.
Is this CVE is false positive? Or if not, can you tell me which version is patched?

yossigo commented

This seems like a false positive, CVE-2022-0543 only applies to the Debian packaging of Redis which has nothing to do with this image.

moon2263 commented

@yossigo
Thank you for reply!