8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.3%
Redis is an open source (BSD licensed), in-memory data structure store,
used as a database, cache, and message broker. An integer overflow bug in
Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and
potentially result with remote code execution. Redis 6.0 and earlier are
not directly affected by this issue. The problem is fixed in version 6.2.3.
An additional workaround to mitigate the problem without patching the
redis-server
executable is to prevent users from modifying the
set-max-intset-entries
configuration parameter. This can be done using
ACL to restrict unprivileged users from using the CONFIG SET
command.
Author | Note |
---|---|
ebarretto | Redis 6.0 and earlier are not directly affected by this issue. |
github.com/redis/redis/commit/29900d4e6bccdf3691bedf0ea9a5d84863fa3592
github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3
groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
launchpad.net/bugs/cve/CVE-2021-29478
nvd.nist.gov/vuln/detail/CVE-2021-29478
redis.io/
security-tracker.debian.org/tracker/CVE-2021-29478
www.cve.org/CVERecord?id=CVE-2021-29478
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.3%