Lucene search

GitHub_MCVE-2024-25115

HistoryApr 09, 2024 - 6:15 p.m.

CVE-2024-25115

2024-04-0918:15:08

CWE-120

CWE-122

GitHub_M

web.nvd.nist.gov

redisbloom

vulnerability

remote code execution

cf.loadchunk

heap overflow

nvd

redisbloom 2.0.0

redisbloom 2.4.7

redisbloom 2.6.10

authenticated users

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, specially crafted CF.LOADCHUNK commands may be used by authenticated users to perform heap overflow, which may lead to remote code execution. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.

Affected configurations

Vulners

Vulnrichment

Node

redisbloomredisbloomRange2.0.0–2.4.7

redisbloomredisbloomRange2.5.0–2.6.10

VendorProductVersionCPE
redisbloomredisbloom*cpe:2.3:a:redisbloom:redisbloom:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redisbloom	redisbloom	*	cpe:2.3:a:redisbloom:redisbloom::::::::

CNA Affected

[
  {
    "vendor": "RedisBloom",
    "product": "RedisBloom",
    "versions": [
      {
        "version": ">= 2.0.0, < 2.4.7",
        "status": "affected"
      },
      {
        "version": ">= 2.5.0, < 2.6.10",
        "status": "affected"
      }
    ]
  }
]

References

github.com/RedisBloom/RedisBloom/commit/2f3b38394515fc6c9b130679bcd2435a796a49ad

github.com/RedisBloom/RedisBloom/security/advisories/GHSA-w583-p2wh-4vj5

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

Percentile

9.0%

JSON

Related for CVE-2024-25115