Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from 2.0.4 through 2.15.0. Users are recommended to upgrade to version 2.16.0, which fixes the issue.
The error consists of a heap buffer overflow in the cjson library, which is used to handle JSON format in Lua scripts embedded in Apache Kvrocks. An attacker can send specially crafted input data causing a write outside the boundaries of the allocated heap buffer. This can lead to process memory corruption and potentially to arbitrary code execution.
A remote, unauthenticated attacker can cause arbitrary code execution on the server (RCE), as well as compromise the confidentiality, integrity and availability of both the attacked system and systems associated with it.
Apache Kvrocks should be updated to version 2.16.0 as soon as possible, which fixes the described vulnerability. Details are available in the vendor's references.
Apache Kvrocks in versions from 2.0.4 to 2.15.0 inclusive.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X