CVE-2021-32625

CWE-680 CWE-190 — Integer Overflow5 documents5 sources

Severity

8.8HIGH

EPSS

2.7%

top 14.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Redis Redislabs Redis Fedoraproject Fedora

Timeline

PublishedJun 2

Description

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

▶CVEListV5redis/redis< 6.0.14+1

▶NVDredislabs/redis6.0.0 — 6.0.14+1

▶Debianredis< 5:6.0.14-1+3

Also affects: Fedora 33, 34

🔴Vulnerability Details

OSV

CVE-2021-32625: Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker↗2021-06-02

▶

CVEList

Redis vulnerability in STRALGO LCS on 32-bit systems↗2021-06-02

▶

📋Vendor Advisories

Red Hat

redis: Heap corruption via `STRALGO LCS` command (Incomplete fix for CVE-2021-29477)↗2021-06-01

▶

Debian

CVE-2021-32625: redis - Redis is an open source (BSD licensed), in-memory data structure store, used as ...↗2021

▶