Описание
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
A stack buffer overflow vulnerability was found in the Redis HyperLogLog data structure. By corrupting a HyperLogLog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Отчет
The following product versions are not affected because they do not ship the vulnerable code:
- Red Hat OpenStack Platform, all versions
- Red Hat Ceph Storage 3, which only ships the client-side part of Redis in its packaged Grafana.
- Red Hat Gluster Storage 3, which only ships the client-side part of Redis in its packaged Grafana and Heketi.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ceph Storage 3 | grafana | Not affected | ||
| Red Hat OpenStack Platform 10 (Newton) | redis | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | redis | Not affected | ||
| Red Hat OpenStack Platform 14 (Rocky) | redis | Not affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) | redis | Not affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) Operational Tools | redis | Not affected | ||
| Red Hat Software Collections | rh-redis32-redis | Not affected | ||
| Red Hat Storage 3 | grafana | Not affected | ||
| Red Hat Storage 3 | heketi | Not affected | ||
| Red Hat Enterprise Linux 8 | redis | Fixed | RHSA-2019:2002 | 07.08.2019 |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
7.2 High
CVSS3
Связанные уязвимости
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
A stack-buffer overflow vulnerability was found in the Redis hyperlogl ...
A stack-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By corrupting a hyperloglog using the SETRANGE command, an attacker could cause Redis to perform controlled increments of up to 12 bytes past the end of a stack-allocated buffer.
Уязвимость алгоритма HyperLogLog резидентной системы управления базами данных класса NoSQL Redis, позволяющая нарушителю оказать воздействие на целостность данных, получить несанкционированный доступ к защищаемой информации, а также вызвать отказ в обслуживании
7.2 High
CVSS3