Tracked as CVE-2022-0543, the security hole has a CVSS score of 10 and is described as an insufficient sanitization in Lua. While Redis statically links the Lua Library, some Debian/Ubuntu packages dynamically link it, leading to a sandbox escape that can be exploited to achieve remote code execution.
Both Debian and Ubuntu announced patches for the bug on February 18. On March 8, however, Brazilian security researcher Reginaldo Silva, who was credited for finding the issue, released proof-of-concept code targeting it.
