VuXML ID | Description |
0e38b8f8-75dd-11eb-83f2-8c164567ca3c | redis -- Integer overflow on 32-bit systems
Redis Development team reports:
Redis 4.0 or newer uses a configurable limit for
the maximum supported bulk input size. By default,
it is 512MB which is a safe value for all platforms.
If the limit is significantly increased, receiving a
large request from a client may trigger several
integer overflow scenarios, which would result with
buffer overflow and heap corruption.
Discovery 2021-02-22 Entry 2021-02-23 redis-devel
< 6.2.0
redis
< 6.0.11
redis5
< 5.0.11
CVE-2021-21309
|
1606b03b-ac57-11eb-9bdd-8c164567ca3c | redis -- multiple vulnerabilities
Redis project reports:
- Vulnerability in the STRALGO LCS command
-
An integer overflow bug in Redis version 6.0 or newer could be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution.
- Vulnerability in the COPY command for large intsets
-
An integer overflow bug in Redis 6.2 could be exploited to corrupt
the heap and potentially result with remote code execution.
The vulnerability involves changing the default set-max-intset-entries
configuration value, creating a large set key that consists of
integer values and using the COPY command to duplicate it.
The integer overflow bug exists in all versions of Redis starting
with 2.6, where it could result with a corrupted RDB or DUMP payload,
but not exploited through COPY (which did not exist before 6.2).
Discovery 2021-05-03 Entry 2021-05-03 redis
ge 6.0.0 lt 6.0.13
redis-devel
ge 6.2.0 lt 6.2.3
CVE-2021-29477
CVE-2021-29478
https://groups.google.com/g/redis-db/c/6GSWzTW0PR8
|
838fa84a-0e25-11e5-90e4-d050996490d0 | redis -- EVAL Lua Sandbox Escape
Ben Murphy reports:
It is possible to break out of the Lua sandbox in
Redis and execute arbitrary code.
This shouldnât pose a threat to users under the
trusted Redis security model where only trusted
users can connect to the database. However, in real
deployments there could be databases that can be
accessed by untrusted users. The main deployments
that are vulnerable are developers machines, places
where redis servers can be reached via SSRF attacks
and cloud hosting.
Discovery 2015-06-04 Entry 2015-06-08 redis
redis-devel
ge 2.6.0 lt 2.8.21
ge 3.0 lt 3.0.2
CVE-2015-4335
http://benmmurphy.github.io/blog/2015/06/04/redis-eval-lua-sandbox-escape/
|
8eb69cd0-c2ec-11eb-b6e7-8c164567ca3c | redis -- integer overflow
Redis development team reports:
An integer overflow bug in Redis version 6.0 or newer can be
exploited using the STRALGO LCS command to corrupt the heap and
potentially result with remote code execution. This is a result
of an incomplete fix by CVE-2021-29477.
Discovery 2021-06-01 Entry 2021-06-01 redis
ge 6.0.0 lt 6.0.14
redis-devel
ge 6.2.0 lt 6.2.4
CVE-2021-32625
https://groups.google.com/g/redis-db/c/RLTwi1kKsCI
|
91be81e7-3fea-11e1-afc7-2c4138874f7d | Multiple implementations -- DoS via hash algorithm collision
oCERT reports:
A variety of programming languages suffer from a denial-of-service
(DoS) condition against storage functions of key/value pairs in
hash data structures, the condition can be leveraged by exploiting
predictable collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications
and/or frameworks. In particular, the lack of sufficient limits
for the number of parameters in POST requests in conjunction with
the predictable collision properties in the hashing functions of
the underlying languages can render web applications vulnerable
to the DoS condition. The attacker, using specially crafted HTTP
requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server
performance, the amplification effect is considerable and
requires little bandwidth and time on the attacker side.
The condition for predictable collisions in the hashing functions
has been reported for the following language implementations:
Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the
Ruby language, the 1.9.x branch is not affected by the
predictable collision condition since this version includes a
randomization of the hashing function.
The vulnerability outlined in this advisory is practically
identical to the one reported in 2003 and described in the paper
Denial of Service via Algorithmic Complexity Attacks which
affected the Perl language.
Discovery 2011-12-28 Entry 2012-01-16 Modified 2012-01-20 jruby
< 1.6.5.1
ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma
< 1.8.7.357,1
rubygem-rack
< 1.3.6,3
v8
< 3.8.5
redis
le 2.4.6
node
< 0.6.7
CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
|
9b4806c1-257f-11ec-9db5-0800270512f4 | redis -- multiple vulnerabilities
The Redis Team reports:
- CVE-2021-41099
-
Integer to heap buffer overflow handling certain string commands
and network payloads, when proto-max-bulk-len is manually configured.
- CVE-2021-32762
-
Integer to heap buffer overflow issue in redis-cli and redis-sentinel
parsing large multi-bulk replies on some older and less common platforms.
- CVE-2021-32687
-
Integer to heap buffer overflow with intsets, when set-max-intset-entries
is manually configured to a non-default, very large value.
- CVE-2021-32675
-
Denial Of Service when processing RESP request payloads with a large
number of elements on many connections.
- CVE-2021-32672
-
Random heap reading issue with Lua Debugger.
- CVE-2021-32628
-
Integer to heap buffer overflow handling ziplist-encoded data types,
when configuring a large, non-default value for hash-max-ziplist-entries,
hash-max-ziplist-value, zset-max-ziplist-entries or zset-max-ziplist-value.
- CVE-2021-32627
-
Integer to heap buffer overflow issue with streams, when configuring
a non-default, large value for proto-max-bulk-len and
client-query-buffer-limit.
- CVE-2021-32626
-
Specially crafted Lua scripts may result with Heap buffer overflow.
Discovery 2021-10-04 Entry 2021-10-05 redis-devel
< 7.0.0.20211005
redis
< 6.2.6
redis6
< 6.0.16
redis5
< 5.0.14
CVE-2021-41099
CVE-2021-32762
CVE-2021-32687
CVE-2021-32675
CVE-2021-32672
CVE-2021-32628
CVE-2021-32627
CVE-2021-32626
https://groups.google.com/g/redis-db/c/GS_9L2KCk9g
|
c561ce49-eabc-11eb-9c3f-0800270512f4 | redis -- Integer overflow issues with BITFIELD command on 32-bit systems
Huang Zhw reports:
On 32-bit versions, Redis BITFIELD command is vulnerable to integer
overflow that can potentially be exploited to corrupt the heap,
leak arbitrary heap contents or trigger remote code execution.
The vulnerability involves constructing specially crafted bit
commands which overflow the bit offset.
This problem only affects 32-bit versions of Redis.
Discovery 2021-07-04 Entry 2021-07-27 redis
< 6.0.15
redis-devel
< 6.2.5
redis5
< 5.0.13
CVE-2021-32761
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
|
cc42db1c-c65f-11ec-ad96-0800270512f4 | redis -- Multiple vulnerabilities
Aviv Yahav reports:
- CVE-2022-24735
-
By exploiting weaknesses in the Lua script execution
environment, an attacker with access to Redis can inject
Lua code that will execute with the (potentially higher)
privileges of another Redis user.
- CVE-2022-24736
-
An attacker attempting to load a specially crafted Lua
script can cause NULL pointer dereference which will
result with a crash of the redis-server process.
Discovery 2022-04-27 Entry 2022-04-27 redis
< 6.2.7
redis-devel
< 7.0.0.20220428
redis62
< 6.2.7
CVE-2022-24735
CVE-2022-24736
https://groups.google.com/g/redis-db/c/7iWUlwtoDqU
|
fa175f30-8c75-11e6-924a-60a44ce6887b | redis -- sensitive information leak through command history file
Redis team reports:
The redis-cli history file (in linenoise) is created with the
default OS umask value which makes it world readable in most systems
and could potentially expose authentication credentials to other
users.
Discovery 2013-11-30 Entry 2016-10-11 redis
redis-devel
< 3.2.3
https://github.com/antirez/redis/pull/1418
https://github.com/antirez/redis/issues/3284
CVE-2013-7458
|