CVE-2022-31144 — Heap-based Buffer Overflow in Redis

CWE-122 — Heap-based Buffer Overflow CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

8.8HIGHNVD

EPSS

21.2%

top 4.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Redis Msrc Cbl2 Redis 6.2.9-1 ON CBL Mariner 2.0 +1 more

Timeline

PublishedJul 19

Description

Redis is an in-memory database that persists on disk. A specially crafted `XAUTOCLAIM` command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages6 packages

▶NVDredis/redis7.0 — 7.0.4

▶debiandebian/redis< redis 5:7.0.4-1 (bookworm)

▶Debianredis/redis< 5:7.0.4-1+2

▶CVEListV5redis/redis>= 7.0.0, < 7.0.4

▶msrcmsrc/cm1_redis_6.2.9-1_on_cbl_mariner_1.0

🔴Vulnerability Details

OSV

CVE-2022-31144: Redis is an in-memory database that persists on disk↗2022-07-19

▶

📋Vendor Advisories

Red Hat

redis: heap overflow via XAUTOCLAIM command↗2022-07-19

▶

Microsoft

Potential heap overflow in Redis↗2022-07-12

▶

Debian

CVE-2022-31144: redis - Redis is an in-memory database that persists on disk. A specially crafted `XAUTO...↗2022

▶