CVE-2022-3647 — Improper Resource Shutdown or Release in Redis

CWE-404 — Improper Resource Shutdown or Release CWE-639 — Authorization Bypass Through User-Controlled Key8 documents7 sources

Severity

3.3LOWNVD

GHSA6.1

EPSS

0.3%

top 44.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Redis Msrc Cbl2 Redis 6.2.7-2 ON CBL Mariner 2.0 +1 more

Timeline

PublishedOct 21

Description

** DISPUTED ** A vulnerability, which was classified as problematic, was found in Redis up to 6.2.7/7.0.5. Affected is the function sigsegvHandler of the file debug.c of the component Crash Report. The manipulation leads to denial of service. The complexity of an attack is rather high. The exploitability is told to be difficult. The real existence of this vulnerability is still doubted at the moment. Upgrading to version 6.2.8 and 7.0.6 is able to address this issue. The patch is identified as 0…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:LExploitability: 1.8 | Impact: 1.4

Affected Packages5 packages

▶NVDredis/redis7.0.0 — 7.0.6+1

▶CVEListV5redis/redis14 versions+13

▶debiandebian/redis

▶msrcmsrc/cm1_redis_6.2.7-2_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_redis_6.2.7-2_on_cbl_mariner_2.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-3647: ** DISPUTED ** A vulnerability, which was classified as problematic, was found in Redis up to 6↗2022-10-21

▶

GHSA

GHSA-8vvp-2mv7-px5c: A vulnerability, which was classified as problematic, was found in Redis↗2022-10-21

▶

GHSA

Authorization Bypass Through User-Controlled Key in urijs↗2022-02-17

▶

📋Vendor Advisories

Red Hat

redis: crash in sigsegvHandler debug function↗2022-10-21

▶

Microsoft

Redis Crash Report debug.c sigsegvHandler denial of service↗2022-10-11

▶

Red Hat

urijs: Authorization Bypass Through User-Controlled Key↗2022-02-16

▶

Debian

CVE-2022-3647: redis - ** DISPUTED ** A vulnerability, which was classified as problematic, was found i...↗2022

▶