CVE-2024-31227Improper Input Validation in Redis

CWE-20Improper Input Validation5 documents5 sources
Severity
4.4MEDIUMNVD
EPSS
0.4%
top 37.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
RedisLfprojects ValkeyDebian Redict+6 more
Timeline
PublishedOct 7
Latest updateOct 8

Description

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.8 | Impact: 3.6

Affected Packages11 packages

NVDredis/redis7.0.07.2.6+1
debiandebian/redis< redict 7.3.1+ds-1 (forky)
Debianredis/redis< 5:7.0.15-1~deb12u2+2
CVEListV5redis/redis>= 7.0.0, < 7.2.6, >= 7.3.0, < 7.4.1+1
debiandebian/redict< redict 7.3.1+ds-1 (forky)

Patches

Patch: github.com

🔴Vulnerability Details

1
OSV
CVE-2024-31227: Redis is an open source, in-memory database that persists on disk2024-10-07

📋Vendor Advisories

3
Microsoft
Denial-of-service due to malformed ACL selectors in Redis2024-10-08
Red Hat
redis: Denial-of-service due to malformed ACL selectors in Redis2024-10-07
Debian
CVE-2024-31227: redict - Redis is an open source, in-memory database that persists on disk. An authentica...2024
CVE-2024-31227 — Improper Input Validation in Redis | cvebase