Lucene search

PRIOn knowledge basePRION:CVE-2022-36021

HistoryMar 01, 2023 - 4:15 p.m.

Design/Logic Flaw

2023-03-0116:15:00

PRIOn knowledge base

www.prio-n.com

redis

in-memory database

authenticated users

dos attack

cpu consumption

security flaw

vulnerability

version 6.0.18

version 6.2.11

version 7.0.9

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

9.0%

JSON

Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.

CPENameOperatorVersion
redisge7.0.0
redislt7.0.9
redisge6.2.0
redislt6.2.11
redislt6.0.18

Name	Operator	Version
redis	ge	7.0.0
redis	lt	7.0.9
redis	ge	6.2.0
redis	lt	6.2.11
redis	lt	6.0.18

References

github.com/redis/redis/commit/dcbfcb916ca1a269b3feef86ee86835294758f84

github.com/redis/redis/security/advisories/GHSA-jr7j-rfj5-8xqv