Описание
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).
Меры по смягчению последствий
This issue can be mitigated by configuring Redis to require clients to authenticate with password. Password authentication can be enabled using the 'requirepass' directive in the redis.conf configuration file.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux OpenStack Platform 6 (Juno) | redis | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) | redis | Will not fix | ||
| Red Hat Enterprise Linux OpenStack Platform 7 (Kilo) Operational Tools | redis | Will not fix | ||
| Red Hat Mobile Application Platform 4 | redis | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | redis | Will not fix | ||
| Red Hat OpenStack Platform 11 (Ocata) | redis | Not affected | ||
| Red Hat OpenStack Platform 12 (Pike) | redis | Not affected | ||
| Red Hat OpenStack Platform 8 (Liberty) | redis | Will not fix | ||
| Red Hat OpenStack Platform 8 (Liberty) Operational Tools | redis | Will not fix | ||
| Red Hat OpenStack Platform 9 (Mitaka) | redis | Will not fix |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" b ...
networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).
Уязвимость компонента networking.c системы управления базами данных (СУБД) Redis, позволяющая нарушителю получить доступ к конфиденциальным данным
EPSS
5.3 Medium
CVSS3