Lucene search

[email protected]CVE-2015-8080

HistoryApr 13, 2016 - 3:59 p.m.

CVE-2015-8080

2016-04-1315:59:04

CWE-190

[email protected]

web.nvd.nist.gov

cve-2015-8080

integer overflow

lua

redis

denial of service

memory corruption

application crash

sandbox restrictions

buffer overflow

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.827 High

EPSS

Percentile

98.4%

JSON

Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow.

Affected configurations

NVD

Node

redislabsredisRange2.8.0–2.8.24

redislabsredisRange3.0.0–3.0.6

redislabsredisRange5.0.0–5.0.8

Node

debiandebian_linuxMatch8.0

debiandebian_linuxMatch9.0

Node

opensuseleapMatch42.1

opensuseopensuseMatch13.2

Node

redhatopenstackMatch6.0

redhatopenstackMatch7.0

CPENameOperatorVersion
redislabs:redisredislabs redislt2.8.24
redislabs:redisredislabs redislt3.0.6
redislabs:redisredislabs redislt5.0.8

CPE	Name	Operator	Version
redislabs:redis	redislabs redis	lt	2.8.24
redislabs:redis	redislabs redis	lt	3.0.6
redislabs:redis	redislabs redis	lt	5.0.8

References

lists.opensuse.org/opensuse-updates/2016-05/msg00126.html

rhn.redhat.com/errata/RHSA-2016-0095.html

rhn.redhat.com/errata/RHSA-2016-0096.html

rhn.redhat.com/errata/RHSA-2016-0097.html

www.debian.org/security/2015/dsa-3412

www.openwall.com/lists/oss-security/2015/11/06/2

www.openwall.com/lists/oss-security/2015/11/06/4

www.securityfocus.com/bid/77507

github.com/antirez/redis/issues/2855

raw.githubusercontent.com/antirez/redis/2.8/00-RELEASENOTES

raw.githubusercontent.com/antirez/redis/3.0/00-RELEASENOTES

security.gentoo.org/glsa/201702-16

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8 High

AI Score

Confidence

High

5 Medium

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.827 High

EPSS

Percentile

98.4%

JSON

Related for CVE-2015-8080

redhat3 openvas3 debian2 checkpoint_advisories1 mageia1 prion2 veracode1 osv2 nessus4 alpinelinux2 cvelist2 ubuntucve2 debiancve2 nvd2 redhatcve1 cve1 gentoo1