CVE-2021-31294 — Reachable Assertion in Redis

CWE-617 — Reachable Assertion5 documents5 sources

Severity

5.9MEDIUMNVD

EPSS

0.2%

top 56.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Redis

Timeline

PublishedJul 15

Latest updateJul 16

Description

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶NVDredis/redis< 6.2.0

▶debiandebian/redis< redis 5:7.0.1-4 (bookworm)

▶Debianredis/redis< 5:7.0.1-4+2

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-g2jg-2qcv-q3h9: Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET c↗2023-07-16

▶

OSV

CVE-2021-31294: Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET c↗2023-07-15

▶

📋Vendor Advisories

Red Hat

redis: an assertion failure in a primary server by sending a non-administrative command↗2023-07-15

▶

Debian

CVE-2021-31294: redis - Redis before 6cbea7d allows a replica to cause an assertion failure in a primary...↗2021

▶