7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
72.7%
Redis is an open source, in-memory database that persists on disk. An
integer overflow bug in the ziplist data structure used by all versions of
Redis can be exploited to corrupt the heap and potentially result with
remote code execution. The vulnerability involves modifying the default
ziplist configuration parameters (hash-max-ziplist-entries,
hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value)
to a very large value, and then constructing specially crafted commands to
create very large ziplists. The problem is fixed in Redis versions 6.2.6,
6.0.16, 5.0.14. An additional workaround to mitigate the problem without
patching the redis-server executable is to prevent users from modifying the
above configuration parameters. This can be done using ACL to restrict
unprivileged users from using the CONFIG SET command.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | redis | < 5:4.0.9-1ubuntu0.2+esm3 | UNKNOWN |
ubuntu | 20.04 | noarch | redis | < 5:5.0.7-2ubuntu0.1+esm1 | UNKNOWN |
ubuntu | 14.04 | noarch | redis | < 2:2.8.4-2ubuntu0.2+esm2) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
ubuntu | 16.04 | noarch | redis | < 2:3.0.6-1ubuntu0.4+esm1 | UNKNOWN |
github.com/redis/redis/commit/f6a40570fa63d5afdd596c78083d754081d80ae3
github.com/redis/redis/security/advisories/GHSA-vw22-qm3h-49pr
launchpad.net/bugs/cve/CVE-2021-32628
nvd.nist.gov/vuln/detail/CVE-2021-32628
security-tracker.debian.org/tracker/CVE-2021-32628
ubuntu.com/security/notices/USN-5221-1
www.cve.org/CVERecord?id=CVE-2021-32628
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
72.7%