Описание
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.
A command injection flaw was discovered in Redis, which exists due to a reachable assertion when handling the MSETNX command. By sending a specially crafted MSETNX command, a local authenticated attacker can cause a denial of service condition by terminating the Redis server process.
Отчет
The vulnerability was introduced in Redis v7.0.8. Red Hat enterprise Linux - 8, 9 ships Redis v6.x.x and lower, which does not contain the vulnerable code. Hence, not-affected.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | 3scale-amp-backend-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-api-rhel8 | Not affected | ||
| Red Hat Ansible Automation Platform 1.2 | ansible-tower | Not affected | ||
| Red Hat Enterprise Linux 8 | redis:6/redis | Not affected | ||
| Red Hat Enterprise Linux 9 | redis | Not affected | ||
| Red Hat Fuse 7 | redis | Not affected | ||
| Red Hat OpenStack Platform 13 (Queens) | redis | Not affected | ||
| Red Hat Quay 3 | quay/quay-rhel8 | Not affected | ||
| Red Hat Satellite 6 | satellite:el8/rubygem-gitlab-sidekiq-fetcher | Not affected | ||
| Red Hat Software Collections | rh-redis6-redis | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.5 Medium
CVSS3
Связанные уязвимости
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.
Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.
Specially crafted MSETNX command can lead to denial-of-service
Redis is an in-memory database that persists on disk. Starting in vers ...
Уязвимость системы управления базами данных (СУБД) Redis, связанная с отсутствием мер по очистке входных данных, позволяющая нарушителю отправить специально созданную команду MSETNX, вызвать отказ в обслуживании, завершив процесс сервера Redis
EPSS
5.5 Medium
CVSS3