CVE-2023-22458
5.5
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
Redis is an in-memory database that persists on disk. Authenticated users can issue a HRANDFIELD or ZRANDMEMBER command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| redis | redis | >= 6.2, < 6.2.9 | affected |
| redis | redis | >= 7.0, < 7.0.8 | affected |
Weaknesses
- CWE-190: CWE-190: Integer Overflow or Wraparound
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj
- https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02
- https://github.com/redis/redis/releases/tag/6.2.9
- https://github.com/redis/redis/releases/tag/7.0.8
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj
- https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02
- https://github.com/redis/redis/releases/tag/6.2.9
- https://github.com/redis/redis/releases/tag/7.0.8
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.