CVE-2021-32672 — Out-of-bounds Read in Redis

CWE-125 — Out-of-bounds Read8 documents7 sources

Severity

4.3MEDIUMNVD

CNA5.3

EPSS

0.3%

top 47.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Linux Fedoraproject Fedora +2 more

Timeline

PublishedOct 4

Latest updateAug 3

Description

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

▶NVDredis/redis3.2.0 — 5.0.14+2

▶Debianredis/redis< 5:6.0.16-1+deb11u1+3

▶CVEListV5redis/redis>= 3.2.0, < 5.0.14, >= 6.0.0, < 6.0.16, >= 6.0.0, < 6.2.6+2

▶NVDoracle/communications_operations_monitor4.3, 4.4, 5.0+2

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 34, 35, Enterprise Linux 8.0

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

redis vulnerabilities↗2022-08-03

▶

CVEList

Vulnerability in Lua Debugger in Redis↗2021-10-04

▶

OSV

CVE-2021-32672: Redis is an open source, in-memory database that persists on disk↗2021-10-04

▶

📋Vendor Advisories

Ubuntu

Redis vulnerabilities↗2022-08-03

▶

Microsoft

Vulnerability in Lua Debugger in Redis↗2021-10-12

▶

Red Hat

redis: Out of bounds read in lua debugger protocol parser↗2021-10-04

▶

Debian

CVE-2021-32672: redis - Redis is an open source, in-memory database that persists on disk. When using th...↗2021

▶