Headline

CVE-2023-22458: Integer overflow in the Redis HRANDFIELD and ZRANDMEMBER commands may lead to denial-of-service

Redis is an in-memory database that persists on disk. Authenticated users can issue a HRANDFIELD or ZRANDMEMBER command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

1 year ago

CVE

Open in Source

#vulnerability #dos #redis #git #auth

Affected versions

6.2 or newer

Patched versions

6.2.9, 7.0.8

Description

Impact

Authenticated users can issue a HRANDFIELD or ZRANDMEMBER command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion.

This problem affects Redis 6.2 or newer.

Patches

The problem is fixed in Redis versions 6.2.9 and 7.0.8.

Credit

This issue has been identified and reported by yype on GitHub.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Redis repository
Email us at [email protected]

Gentoo Linux Security Advisory 202408-5 - Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Versions greater than or equal to 7.2.4 are affected.

3 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #dos #redis #rce