cbcvebase.
CVE-2021-32626
published 2021-10-04

CVE-2021-32626: Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
15.13%
96.3th percentile
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Affected

25 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiandebian_linux
debianredis< redis 5:6.0.16-1 (bookworm)redis 5:6.0.16-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrccbl2_redis_6.2.6-1_on_cbl_mariner_2.0
msrccm1_redis_5.0.14-1_on_cbl_mariner_1.0
oraclecommunications_operations_monitor
oraclecommunications_operations_monitor
oraclecommunications_operations_monitor
redisredis
redisredis
redisredis
redisredis>= 0 < 5:6.0.16-1+deb11u15:6.0.16-1+deb11u1
redisredis>= 0 < 5:6.0.16-15:6.0.16-1
redisredis>= 0 < 5:6.0.16-15:6.0.16-1
redisredis>= 0 < 5:6.0.16-15:6.0.16-1
redisredis>= 0 < 2:2.8.4-2ubuntu0.2+esm22:2.8.4-2ubuntu0.2+esm2
redisredis>= 0 < 2:3.0.6-1ubuntu0.4+esm12:3.0.6-1ubuntu0.4+esm1
redisredis>= 0 < 5:4.0.9-1ubuntu0.2+esm35:4.0.9-1ubuntu0.2+esm3
redisredis>= 0 < 5:5.0.7-2ubuntu0.1+esm15:5.0.7-2ubuntu0.1+esm1
redisredis>= 2.6 < 5.0.145.0.14
redisredis>= 6.0.0 < 6.0.166.0.16
redisredis>= 6.2.0 < 6.2.66.2.6

Detection & IOCsextracted from sources · hover to see the quote

  • Restrict or monitor use of EVAL and EVALSHA Redis commands, which are the attack vector for triggering the heap-based Lua stack overflow in CVE-2021-32626.
  • Any Redis instance running versions prior to 5.0.14, 6.0.16, or 6.2.6 with Lua scripting enabled (starting from Redis 2.6) is vulnerable; flag such instances in your environment.
  • Alert on specially crafted Lua scripts submitted to Redis (via EVAL/EVALSHA) that may attempt to overflow the heap-based Lua stack, potentially indicating exploitation attempts.
  • ·Mitigation (without patching) requires using Redis ACLs to block EVAL and EVALSHA commands for untrusted users; this disables all Lua scripting functionality.
  • ·Red Hat Ansible Tower 3 ships an affected version of Redis; Red Hat 3scale API Management Platform 2, Ansible Automation Platform 1.2, RHEL 9, and rh-redis6-redis (Software Collections) are listed as not affected.
  • ·Oracle Communications (FDP/Redis component) is affected via TCP network protocol with a CVSS score of 8.8; remote exploit is listed as 'No' in Oracle's matrix, meaning authentication or adjacent access may be required.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_msrc8.8HIGH
vendor_oracle8.8HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.4MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.