Race Condition

2023-10-2005:33:12

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

race condition

redis server

vulnerability

unauthorized access

socket file

software

3.6 Low

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

0.0004 Low

EPSS

Percentile

10.6%

JSON

libredis.so is vulnerable to Race Condition. The vulnerability allows an attacker to gain unauthorized access to a Redis server by exploiting a race condition that occurs when the server is starting up. The attacker could exploit this vulnerability by sending a specially crafted request to a vulnerable Redis server which would cause the server to create a new socket file with insecure permissions. The attacker could then connect to this socket file and gain unauthorized access to the server.

CPENameOperatorVersion
libredis.soeqdebug
redis:sideq5:6.0.9-1
redis:sideq5:6.0.15-1
redis:bustereq5:5.0.3-4+deb10u3
redis:bustereq5:5.0.3-4+deb10u2
redis:3.18eq7.0.13-r0
redis:3.18eq7.0.12-r0
redis:3.18eq7.0.11-r0
redis:3.16eq7.0.4-r0
redis:3.16eq7.0.2-r0

Name	Operator	Version
libredis.so	eq	debug
redis:sid	eq	5:6.0.9-1
redis:sid	eq	5:6.0.15-1
redis:buster	eq	5:5.0.3-4+deb10u3
redis:buster	eq	5:5.0.3-4+deb10u2
redis:3.18	eq	7.0.13-r0
redis:3.18	eq	7.0.12-r0
redis:3.18	eq	7.0.11-r0
redis:3.16	eq	7.0.4-r0
redis:3.16	eq	7.0.2-r0