CVE-2021-32627

CWE-190 — Integer Overflow CWE-6807 documents7 sources

Severity

7.5HIGH

EPSS

0.6%

top 30.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Redis Debian Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedOct 4

Latest updateAug 3

Description

Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade a…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages4 packages

▶NVDredis/redis5.0.0 — 5.0.14+2

▶Debianredis< 5:6.0.16-1+deb11u1+3

▶CVEListV5redis/redis>= 5.0.0, < 5.0.14, >= 6.0.0, < 6.0.16, >= 6.2.0, < 6.2.6+2

▶NVDoracle/communications_operations_monitor4.3, 4.4, 5.0+2

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 34, 35

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2021-32627: Redis is an open source, in-memory database that persists on disk↗2021-10-04

▶

CVEList

Integer overflow issue with Streams in Redis↗2021-10-04

▶

📋Vendor Advisories

Ubuntu

Redis vulnerabilities↗2022-08-03

▶

Microsoft

Integer overflow issue with Streams in Redis↗2021-10-12

▶

Red Hat

redis: Integer overflow issue with Streams↗2021-10-04

▶

Debian

CVE-2021-32627: redis - Redis is an open source, in-memory database that persists on disk. In affected v...↗2021

▶