Redis [BUG] Security vulnerabilities coming from Lua

We are using redis 7.0.4 via alpine redis docker image. While doing the security scan of the image, there are the following vulnerabilities.

https://nvd.nist.gov/vuln/detail/CVE-2022-28805 https://nvd.nist.gov/vuln/detail/CVE-2020-15888 https://nvd.nist.gov/vuln/detail/CVE-2022-33099

All 3 of them seem to be coming from Lua 5.1.5 version and the file path is pointing to the redis-server binary. Could you please tell us if these can be mitigated?

Regards, Subhankar

Comment From: itamarhaber

xref: https://github.com/docker-library/redis/issues/328

Comment From: subhankarc

Hi @itamarhaber

Since the Lua version used in Redis is 5.1.5, in which the vulnerabilities exist, is there a plan to update Redis with the latest Lua version or any other way to mitigate this issue ?

Regards, Subhankar

Comment From: MeirShpilraien

Hey @subhankarc

https://nvd.nist.gov/vuln/detail/CVE-2022-28805 - As describe in the CVE, effects only (including) 5.4.0 up to (excluding) 5.4.4. Redis is running Lua 5.1.5 and so not effected.

https://nvd.nist.gov/vuln/detail/CVE-2022-33099 - As describe in the CVE, effects 5.4.2 up to 5.4.4 so again Redis is not effected.

https://nvd.nist.gov/vuln/detail/CVE-2020-15888 - I run the example mentioned on the CVE, on Lua 5.4.0 to to make sure I can reproduce the crash (as expected, it crashes). I run the same example on Lua 5.1.5 and it runs. I also tested with valgrind.

Comment From: oranagra

discussed CVE-2020-15888 again in #11381 and reached the same conclusion. closing.