CVE-2021-21309

CWE-190 — Integer Overflow7 documents7 sources

Severity

8.8HIGH

EPSS

0.5%

top 35.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Redis Redislabs Redis

Timeline

PublishedFeb 26

Latest updateAug 3

Description

Redis is an open-source, in-memory database that persists on disk. In affected versions of Redis an integer overflow bug in 32-bit Redis version 4.0 or newer could be exploited to corrupt the heap and potentially result with remote code execution. Redis 4.0 or newer uses a configurable limit for the maximum supported bulk input size. By default, it is 512MB which is a safe value for all platforms. If the limit is significantly increased, receiving a large request from a client may trigger severa…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.7

Affected Packages3 packages

▶CVEListV5redis/redis< 5.0.11+1

▶NVDredislabs/redis4.0 — 5.0.11+1

▶Debianredis< 5:6.0.11-1+3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

CVEList

Integer overflow on 32-bit systems↗2021-02-26

▶

OSV

CVE-2021-21309: Redis is an open-source, in-memory database that persists on disk↗2021-02-26

▶

📋Vendor Advisories

Ubuntu

Redis vulnerabilities↗2022-08-03

▶

Red Hat

redis: integer overflow when configurable limit for maximum supported bulk input size is too big on 32-bit platforms↗2021-02-22

▶

Microsoft

Integer overflow on 32-bit systems↗2021-02-09

▶

Debian

CVE-2021-21309: redis - Redis is an open-source, in-memory database that persists on disk. In affected v...↗2021

▶