CVE-2023-36824
published 2023-07-11CVE-2023-36824: Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some…
PriorityP275high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
74.82%
99.4th percentile
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | redis | < redis 5:7.0.15-1~deb12u1 (bookworm) | redis 5:7.0.15-1~deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| redis | redis | — | — |
| redis | redis | >= 0 < 5:7.0.15-1~deb12u1 | 5:7.0.15-1~deb12u1 |
| redis | redis | >= 0 < 5:7.0.12-1 | 5:7.0.12-1 |
| redis | redis | >= 0 < 5:7.0.12-1 | 5:7.0.12-1 |
| redis | redis | >= 7.0.0 < 7.0.12 | 7.0.12 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for execution of the COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS Redis commands, especially when issued by authenticated users, as these can be used to trigger the heap overflow. ↗
- →Monitor for authenticated Redis users with ACL rules that match key names executing commands referencing a variadic list of key names, which is a second exploitation vector for this vulnerability. ↗
- →Scope the detection to Redis 7.0.0 through 7.0.11 only; versions below 7.0 and 7.0.12+ are not affected. ↗
- ·Only Redis 7.0.x versions prior to 7.0.12 are vulnerable; Redis 6.x and earlier are not affected. ↗
- ·The vulnerability requires an authenticated session; unauthenticated attackers cannot directly exploit this flaw. ↗
- ·The fix is available in Redis 7.0.12; Debian packages were fixed in 5:7.0.12-1 (forky/sid/trixie) and 5:7.0.15-1~deb12u1 (bookworm). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian7.4HIGH
vendor_redhat7.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
redis: heap overflow in COMMAND GETKEYS and ACL evaluation
vendor_redhat·2023-07-10·CVSS 7.4
CVE-2023-36824 [HIGH] CWE-131 redis: heap overflow in COMMAND GETKEYS and ACL evaluation
redis: heap overflow in COMMAND GETKEYS and ACL evaluation
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
A heap overflow vulnerability was found in Redis, where extracting key names from a command and a list of arguments may,
Debian
CVE-2023-36824: redis - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0....
vendor_debian·2023·CVSS 7.4
CVE-2023-36824 [HIGH] CVE-2023-36824: redis - Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0....
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
Scope: local
bookworm: resolved (fixed in 5:7.0.15-1~deb12u1)
bullseye: resolved
forky: resolved (fixed in 5:7.0.12-1)
sid: resolved (fixed in 5:7.0.12-1)
trixie: resolved (fixed in
OSV
CVE-2023-36824: Redis is an in-memory database that persists on disk
osv·2023-07-11·CVSS 8.8
CVE-2023-36824 [HIGH] CVE-2023-36824: Redis is an in-memory database that persists on disk
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
No detection rules found.
No public exploits indexed.
https://github.com/redis/redis/releases/tag/7.0.12https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3https://lists.fedoraproject.org/archives/list/[email protected]/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/https://lists.fedoraproject.org/archives/list/[email protected]/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/https://security.netapp.com/advisory/ntap-20230814-0009/https://github.com/redis/redis/releases/tag/7.0.12https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3https://lists.fedoraproject.org/archives/list/[email protected]/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/https://lists.fedoraproject.org/archives/list/[email protected]/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/https://security.netapp.com/advisory/ntap-20230814-0009/
2023-07-11
Published