CVE-2021-3470
published 2021-03-31CVE-2021-3470: A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's…
PriorityP427medium5.3CVSS 3.1
AVNACLPRNUINSUCNINAL
EPSS
1.14%
62.7th percentile
A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redis | < redis 5:6.0.9-1 (bookworm) | redis 5:6.0.9-1 (bookworm) |
| msrc | cbl2_redis_5.0.5-7_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_redis_5.0.5-7_on_cbl_mariner_1.0 | — | — |
| redis | redis | >= 0 < 5:6.0.9-1 | 5:6.0.9-1 |
| redis | redis | >= 0 < 5:6.0.9-1 | 5:6.0.9-1 |
| redis | redis | >= 0 < 5:6.0.9-1 | 5:6.0.9-1 |
| redis | redis | >= 0 < 5:6.0.9-1 | 5:6.0.9-1 |
| redislabs | redis | < 5.0.10 | 5.0.10 |
| redislabs | redis | — | — |
| redislabs | redis | — | — |
| redislabs | redis | >= 6.0.0 < 6.0.9 | 6.0.9 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.3MEDIUM
vendor_debian5.3LOW
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Microsoft
A heap overflow issue was found in Redis in versions before 5.0.10 before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc leading to potential out of bound wri
vendor_msrc·2021-03-09·CVSS 5.3
CVE-2021-3470 [MEDIUM] CWE-787 A heap overflow issue was found in Redis in versions before 5.0.10 before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc leading to potential out of bound wri
A heap overflow issue was found in Redis in versions before 5.0.10 before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users who use jemalloc or glibc malloc.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in Oc
Debian
CVE-2021-3470: redis - A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9...
vendor_debian·2021·CVSS 5.3
CVE-2021-3470 [MEDIUM] CVE-2021-3470: redis - A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9...
A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.
Scope: local
bookworm: resolved (fixed in 5:6.0.9-1)
bullseye: resolved (fixed in 5:6.0.9-1)
forky: resolved (fixed in 5:6.0.9-1)
sid: resolved (fixed in 5:6.0.9-1)
trixie: resolved (fixed in 5:6.0.9-1)
Red Hat
redis: potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc
vendor_redhat·2020-10-26·CVSS 5.3
CVE-2021-3470 [MEDIUM] CWE-119 redis: potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc
redis: potential heap overflow when using a heap allocator other than jemalloc or glibc's malloc
A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.
A heap overflow issue was found in Redis when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc.
Statement: The following products are not affected by this flaw because they use `jemalloc` as default heap allocator:
GHSA
GHSA-mqmr-8cxh-pqf6: A heap overflow issue was found in Redis in versions before 5
ghsa_unreviewed·2022-05-24
CVE-2021-3470 [MEDIUM] CWE-119 GHSA-mqmr-8cxh-pqf6: A heap overflow issue was found in Redis in versions before 5
A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.
OSV
CVE-2021-3470: A heap overflow issue was found in Redis in versions before 5
osv·2021-03-31·CVSS 5.3
CVE-2021-3470 [MEDIUM] CVE-2021-3470: A heap overflow issue was found in Redis in versions before 5
A heap overflow issue was found in Redis in versions before 5.0.10, before 6.0.9 and before 6.2.0 when using a heap allocator other than jemalloc or glibc's malloc, leading to potential out of bound write or process crash. Effectively this flaw does not affect the vast majority of users, who use jemalloc or glibc malloc.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2021-03-31
Published