CVE-2016-10517

CWE-254 CWE-887 documents7 sources

Severity

7.4HIGH

EPSS

0.4%

top 40.91%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redislabs Redis Apache Software Foundation Apache Kvrocks

Timeline

PublishedOct 24

Latest updateMay 14

Description

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:NExploitability: 2.8 | Impact: 4.0

Affected Packages3 packages

▶NVDredislabs/redis< 3.2.7

▶Debianredis< 3:3.2.7-1+3

▶CVEListV5apache_software_foundation/apache_kvrocks2.11.0

🔴Vulnerability Details

GHSA

GHSA-r965-fhrj-6v64: networking↗2022-05-14

▶

CVEList

CVE-2016-10517: networking↗2017-10-24

▶

OSV

CVE-2016-10517: networking↗2017-10-24

▶

📋Vendor Advisories

Red Hat

redis: cross-protocol attack using malicious HTTP request↗2016-08-03

▶

Debian

CVE-2016-10517: redis - networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it ...↗2016

▶

💬Community

Bugzilla

CVE-2016-10517 redis: cross-protocol attack using malicious HTTP request↗2017-11-20

▶