CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.7%
Redis is an open source, in-memory database that persists on disk. In
affected versions specially crafted Lua scripts executing in Redis can
cause the heap-based Lua stack to be overflowed, due to incomplete checks
for this condition. This can result with heap corruption and potentially
remote code execution. This problem exists in all versions of Redis with
Lua scripting support, starting from 2.6. The problem is fixed in versions
6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional
workaround to mitigate the problem without patching the redis-server
executable is to prevent users from executing Lua scripts. This can be done
using ACL to restrict EVAL and EVALSHA commands.
github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591
github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c
launchpad.net/bugs/cve/CVE-2021-32626
nvd.nist.gov/vuln/detail/CVE-2021-32626
security-tracker.debian.org/tracker/CVE-2021-32626
ubuntu.com/security/notices/USN-5221-1
www.cve.org/CVERecord?id=CVE-2021-32626
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
89.7%