CVE-2024-25115
7
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
RedisBloom adds a set of probabilistic data structures to Redis. Starting in version 2.0.0 and prior to version 2.4.7 and 2.6.10, specially crafted CF.LOADCHUNK commands may be used by authenticated users to perform heap overflow, which may lead to remote code execution. The problem is fixed in RedisBloom 2.4.7 and 2.6.10.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| RedisBloom | RedisBloom | >= 2.0.0, < 2.4.7 | affected |
| RedisBloom | RedisBloom | >= 2.5.0, < 2.6.10 | affected |
Weaknesses
- CWE-122: CWE-122: Heap-based Buffer Overflow
- CWE-120: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
- https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-w583-p2wh-4vj5
- https://github.com/RedisBloom/RedisBloom/commit/2f3b38394515fc6c9b130679bcd2435a796a49ad
References
- https://github.com/RedisBloom/RedisBloom/security/advisories/GHSA-w583-p2wh-4vj5
- https://github.com/RedisBloom/RedisBloom/commit/2f3b38394515fc6c9b130679bcd2435a796a49ad
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.