CVE-2021-32761

CWE-125Out-of-bounds ReadCWE-680CWE-190Integer Overflow7 documents7 sources
Severity
7.5HIGH
EPSS
0.5%
top 34.66%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Redislabs RedisRedis RedisDebian Debian Linux+1 more
Timeline
PublishedJul 21
Latest updateAug 3

Description

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration pa

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages3 packages

NVDredislabs/redis2.2.05.0.13+2
Debianredis< 5:6.0.15-1+3
CVEListV5redis/redis>= 2.2, < 5.0.13, >= 6.0.0, < 6.0.15, >= 6.2.0, < 6.2.5+2

Also affects: Debian Linux 10.0, 11.0, 9.0, Fedora 33, 34

🔴Vulnerability Details

2
CVEList
Integer overflow issues with *BIT commands on 32-bit systems2021-07-21
OSV
CVE-2021-32761: Redis is an in-memory database that persists on disk2021-07-21

📋Vendor Advisories

4
Ubuntu
Redis vulnerabilities2022-08-03
Red Hat
redis: integer overflow issues with BITFIELD command on 32-bit systems2021-07-21
Microsoft
Integer overflow issues with *BIT commands on 32-bit systems2021-07-13
Debian
CVE-2021-32761: redis - Redis is an in-memory database that persists on disk. A vulnerability involving ...2021