CVE-2023-41053 — Improper Privilege Management in Redis

CWE-269 — Improper Privilege Management6 documents6 sources

Severity

3.3LOWNVD

EPSS

0.8%

top 25.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis

Timeline

PublishedSep 6

Latest updateJan 15

Description

Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.8 | Impact: 1.4

Affected Packages3 packages

▶NVDredis/redis7.0 — 7.0.13+1

▶Debianredis/redis< 5:7.0.15-1~deb12u1+2

▶CVEListV5redis/redis>= 7.0.0, < 7.0.13, >= 7.1.0, < 7.2.1+1

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2023-41053: Redis is an in-memory database that persists on disk↗2023-09-06

▶

CVEList

Redis SORT_RO may bypass ACL configuration↗2023-09-06

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Installation and Configuration (Redis) — CVE-2023-41053↗2024-01-15

▶

Red Hat

redis: Redis SORT_RO may bypass ACL configuration↗2023-09-06

▶

Debian

CVE-2023-41053: redis - Redis is an in-memory database that persists on disk. Redis does not correctly i...↗2023

▶