Redis Security Vulnerabilities and Issues — Redis CVE List

Lucene search

RedislabsRedis

8 matches found

CVE•added 2021/07/21 9:15 p.m.•285 views

CVE-2021-32761

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis *BIT* command are vulnerable to integer overflow that...

7.5CVSS8AI score0.00845EPSS

CVE•added 2019/07/11 7:15 p.m.•284 views

CVE-2019-10192

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up...

7.2CVSS6.8AI score0.16771EPSS

CVE•added 2019/07/11 7:15 p.m.•266 views

CVE-2019-10193

A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past t...

7.2CVSS6.8AI score0.34565EPSS

CVE•added 2020/06/15 6:15 p.m.•219 views

CVE-2020-14147

An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large ...

7.7CVSS8AI score0.01207EPSS

CVE•added 2016/04/13 3:59 p.m.•151 views

CVE-2015-8080

Integer overflow in the getnum function in lua_struct.c in Redis 2.8.x before 2.8.24 and 3.0.x before 3.0.6 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbo...

7.5CVSS8AI score0.01207EPSS

CVE•added 2017/10/24 6:29 p.m.•78 views

CVE-2016-10517

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).

7.4CVSS7.2AI score0.0024EPSS

CVE•added 2018/06/16 5:29 p.m.•77 views

CVE-2018-12453

Type confusion in the xgroupCommand function in t_stream.c in redis-server in Redis before 5.0 allows remote attackers to cause denial-of-service via an XGROUP command in which the key is not a stream.

7.5CVSS7.4AI score0.28558EPSS

CVE•added 2021/09/20 4:15 p.m.•49 views

CVE-2020-21468

A segmentation fault in the redis-server component of Redis 5.0.7 leads to a denial of service (DOS). NOTE: the vendor cannot reproduce this issue in a released version, such as 5.0.7

7.5CVSS7.3AI score0.00384EPSS