CVE-2021-32625 in Redis情報

要約

〜によって MITRE • 2021年06月03日

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer (on 32-bit systems ONLY) can be exploited using the `STRALGO LCS` command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix for CVE-2021-29477 which only addresses the problem on 64-bit systems but fails to do that for 32-bit. 64-bit systems are not affected. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the `redis-server` executable is to use ACL configuration to prevent clients from using the `STRALGO LCS` command.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

責任者

GitHub, Inc.

予約する

2021年05月12日

モデレーション

承諾済み

エントリ

VDB-176280

EPSS

0.04207

アクティビティ

非常低い

ソース

Do you know our Splunk app?

Download it now for free!