CVE-2023-28856Improper Input Validation in Redis

CWE-20Improper Input ValidationCWE-617Reachable Assertion8 documents7 sources
Severity
6.5MEDIUMNVD
OSV8.8
EPSS
0.4%
top 36.62%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
RedisDebian RedisDebian Linux+7 more
Timeline
PublishedApr 18
Latest updateDec 5

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages11 packages

NVDredis/redis6.2.06.2.12+2
debiandebian/redis< redis 5:7.0.11-1 (bookworm)
Debianredis/redis< 5:6.0.16-1+deb11u3+3
Ubunturedis/redis< 2:2.8.4-2ubuntu0.2+esm3+4
CVEListV5redis/redis>= 6.2.0, < 6.2.12, >= 7.0.0, < 7.0.11+1

Also affects: Debian Linux 10.0, Fedora 36, 37, 38

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

2
OSV
redis vulnerabilities2023-12-05
OSV
CVE-2023-28856: Redis is an open source, in-memory database that persists on disk2023-04-18

📋Vendor Advisories

5
Ubuntu
Redis vulnerabilities2023-12-05
Oracle
Oracle Oracle Communications Risk Matrix: Fraud Detection Monitor (Redis) — CVE-2023-288562023-07-15
Red Hat
redis: Insufficient validation of HINCRBYFLOAT command2023-04-17
Microsoft
`HINCRBYFLOAT` can be used to crash a redis-server process2023-04-11
Debian
CVE-2023-28856: redis - Redis is an open source, in-memory database that persists on disk. Authenticated...2023
CVE-2023-28856 — Improper Input Validation in Redis | cvebase