TROYANOSYVIRUS
Volver a CVEs

CVE-2021-32687

HIGH
7.5

Descripcion

Redis is an open source, in-memory database that persists on disk. An integer overflow bug affecting all versions of Redis can be exploited to corrupt the heap and potentially be used to leak arbitrary contents of the heap or trigger remote code execution. The vulnerability involves changing the default set-max-intset-entries configuration parameter to a very large value and constructing specially crafted commands to manipulate sets. The problem is fixed in Redis versions 6.2.6, 6.0.16 and 5.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the set-max-intset-entries configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Detalles CVE

Puntuacion CVSS v3.17.5
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadHIGH
Privilegios requeridosLOW
Interaccion usuarioNONE
Publicado10/4/2021
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

debian:debian_linuxfedoraproject:fedoranetapp:management_services_for_element_softwarenetapp:management_services_for_netapp_hcioracle:communications_operations_monitorredis:redis

Debilidades (CWE)

CWE-190CWE-680CWE-190

Referencias

https://github.com/redis/redis/commit/a30d367a71b7017581cf1ca104242a3c644dec0f(security-advisories@github.com)
https://github.com/redis/redis/security/advisories/GHSA-m3mf-8x9w-r27q(security-advisories@github.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/(security-advisories@github.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/(security-advisories@github.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/(security-advisories@github.com)
https://security.gentoo.org/glsa/202209-17(security-advisories@github.com)
https://security.netapp.com/advisory/ntap-20211104-0003/(security-advisories@github.com)
https://www.debian.org/security/2021/dsa-5001(security-advisories@github.com)
https://www.oracle.com/security-alerts/cpuapr2022.html(security-advisories@github.com)
https://github.com/redis/redis/commit/a30d367a71b7017581cf1ca104242a3c644dec0f(af854a3a-2127-422b-91ae-364da2661108)
https://github.com/redis/redis/security/advisories/GHSA-m3mf-8x9w-r27q(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202209-17(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20211104-0003/(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2021/dsa-5001(af854a3a-2127-422b-91ae-364da2661108)
https://www.oracle.com/security-alerts/cpuapr2022.html(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.