CVE-2023-41056
Published: January 10, 2024Last modified: January 10, 2024
Description
Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.1 |
| Attack Vector | NETWORK |
| Attack complexity | HIGH |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity impact | HIGH |
| Availability impact | HIGH |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | 23 LTS | redis | Fixed (7.0.15-r0) |
| Stream | redis | Fixed (7.2.4-r0) |
References
- https://github.com/redis/redis/releases/tag/7.0.15
- https://github.com/redis/redis/releases/tag/7.2.4
- https://github.com/redis/redis/security/advisories/GHSA-xr47-pcmx-fq2m
- https://lists.fedoraproject.org/archives/list/[email protected]/message/3JTGQJ2YLYB24B72I5B5H32YIMPVSWIT/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/JTWHPLC3RI67VNRDOIXLDVNC5YMYBMQN/
- https://security.netapp.com/advisory/ntap-20240223-0003/