CVE-2021-29478

CWE-190Integer Overflow5 documents5 sources
Severity
8.8HIGH
EPSS
2.5%
top 14.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redislabs RedisRedis RedisFedoraproject Fedora
Timeline
PublishedMay 4

Description

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDredislabs/redis6.2.06.2.3
Debianredis< 5:6.0.13-1+3
CVEListV5redis/redis>= 6.2.0, < 6.2.3

Also affects: Fedora 33, 34

🔴Vulnerability Details

2
OSV
CVE-2021-29478: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker2021-05-04
CVEList
Vulnerability in the COPY command for large intsets2021-05-04

📋Vendor Advisories

2
Red Hat
redis: Integer overflow via COPY command for large intsets2021-05-04
Debian
CVE-2021-29478: redis - Redis is an open source (BSD licensed), in-memory data structure store, used as ...2021