CVE-2021-32675 — Allocation of Resources Without Limits or Throttling in Redis

CWE-770 — Allocation of Resources Without Limits or Throttling8 documents7 sources

Severity

7.5HIGHNVD

EPSS

1.7%

top 17.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Linux Fedoraproject Fedora +1 more

Timeline

PublishedOct 4

Latest updateAug 3

Description

Redis is an open source, in-memory database that persists on disk. When parsing an incoming Redis Standard Protocol (RESP) request, Redis allocates memory according to user-specified values which determine the number of elements (in the multi-bulk header) and size of each element (in the bulk header). An attacker delivering specially crafted requests over multiple connections can cause the server to allocate significant amount of memory. Because the same parsing mechanism is used to handle authe…

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶CVEListV5redis/redis< 5.0.14+2

▶NVDredis/redis5.0.0 — 5.0.14+2

▶Debianredis/redis< 5:6.0.16-1+deb11u1+3

▶NVDoracle/communications_operations_monitor4.3, 4.4, 5.0+2

Also affects: Debian Linux 10.0, 11.0, Fedora 33, 34, 35

Patches

Patch: github.com ↗Patch: www.oracle.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

redis vulnerabilities↗2022-08-03

▶

CVEList

DoS vulnerability in Redis↗2021-10-04

▶

OSV

CVE-2021-32675: Redis is an open source, in-memory database that persists on disk↗2021-10-04

▶

📋Vendor Advisories

Ubuntu

Redis vulnerabilities↗2022-08-03

▶

Microsoft

DoS vulnerability in Redis↗2021-10-12

▶

Red Hat

redis: Denial of service via Redis Standard Protocol (RESP) request↗2021-10-04

▶

Debian

CVE-2021-32675: redis - Redis is an open source, in-memory database that persists on disk. When parsing ...↗2021

▶