Headline
CVE-2023-47004: OOB-write vulnerability lead to REMOTE CODE EXECUTION · Issue #3178 · RedisGraph/RedisGraph
Buffer Overflow vulnerability in Redis RedisGraph v.2.x through v.2.12.8 and fixed in v.2.12.9 allows an attacker to execute arbitrary code via the code logic after valid authentication.
Summary
I have found a security vulnerability in the latest codebase of RedisGraph.
With personal investigation, I think an attacker could leverage this vulnerability to archive a remote code execution on a vulnerable Redis instance.
The vulnerability exists in code logic after a valid authentication.
PoC
Here is a screenshot for a local lab environment to demostrate remote code execution
we have a full screen record for the whole process but it is too big to attach to a github issue
Step To Reproduce
Since this vulnerability leads to a remote code execution attack vector, it is better not to put the PoC in a public visitable GitHub issue.
Please let me know a perfer way to report this vulnerability to the dev team.