CVE-2023-45145 — Resource Exposure in Redis

CWE-668 — Resource Exposure CWE-269 — Improper Privilege Management8 documents7 sources

Severity

3.6LOWNVD

OSV8.8

EPSS

0.6%

top 31.04%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redis Debian Redis Debian Linux +2 more

Timeline

PublishedOct 18

Latest updateJan 15

Description

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrad…

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.0 | Impact: 2.5

Affected Packages6 packages

▶NVDredis/redis2.6.0 — 6.2.14+3

▶debiandebian/redis< redis 5:7.0.15-1~deb12u1 (bookworm)

▶Debianredis/redis< 5:6.0.16-1+deb11u3+3

▶Ubunturedis/redis< 2:2.8.4-2ubuntu0.2+esm3+4

▶CVEListV5redis/redis>= 2.6.0-rc1, < 6.2.14, >= 7.0.0, < 7.0.14, >= 7.1.0, < 7.2.2+2

Also affects: Debian Linux 10.0, Fedora 37, 38, 39

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

redis vulnerabilities↗2023-12-05

▶

OSV

CVE-2023-45145: Redis is an in-memory database that persists on disk↗2023-10-18

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Redis) — CVE-2023-45145↗2024-01-15

▶

Ubuntu

Redis vulnerabilities↗2023-12-05

▶

Red Hat

redis: possible bypass of Unix socket permissions on startup↗2023-10-18

▶

Microsoft

Redis Unix-domain socket may have be exposed with the wrong permissions for a short time window.↗2023-10-10

▶

Debian

CVE-2023-45145: redis - Redis is an in-memory database that persists on disk. On startup, Redis begins l...↗2023

▶