Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-29477: Redis

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command.

CVE
#redis#js#git#c++#rce#docker

Redis

The open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker.

HSET user:1 name antirez vocation artist SET e 2.71 INCRBYFLOAT e 0.43 RENAME e pi PING

A vibrant, open source database

Voted the most-loved database for 5 years running, Redis is at the center of an engaged community of developers, architects, and open source contributors.

4B+ Docker pulls

50K+ Github stars

50+ Supported programing languages

Core capabilities

In-memory data structures

Well-known as a "data structure server", with support for strings, hashes, lists, sets, sorted sets, streams, and more.

Learn more

Programmability

Server-side scripting with Lua and server-side stored procedures with Redis Functions.

Learn more

Extensibility

A module API for building custom extensions to Redis in C, C++, and Rust.

Learn more

Persistence

Keeps the dataset in memory for fast access, but can also persist all writes to permanent storage to survive reboots and system failures.

Learn more

Clustering

Horizontal scalability with hash-based sharding, scaling to millions of nodes with automatic re-partitioning when growing the cluster.

Learn more

High availability

Replication with automatic failover for both standalone and clustered deployments.

Learn more

Use cases

Real-time data store

Redis’ versatile in-memory data structures let you build data infrastructure for real-time applications requiring low latency and high-throughput.

Caching & session storage

Redis’ speed makes it ideal for caching database queries, complex computations, API calls, and session state.

Streaming & messaging

The stream data type enables high-speed data ingestion, messaging, event sourcing, and notifications.

Redis Stack

Redis Stack extends Redis with modern data models and processing engines to provide a complete developer experience. Download the source, install using your favorite package manager, or spin it up for free in the cloud.

Visualize and optimize your Redis data with RedisInsight.

Redis Stack use cases

Searchable Redis

Index and query Redis data structures and data models. Run complex aggregations and full-text search on your Redis data.

Document database

Model domain entirely in Redis and efficiently query your JSON data without ever having to use a cache.

Telemetry

Ingest continuous readings from devices in the field, storing them as time series data or analyzing and de-duplicating with probabilistic data structures.

Identity and resource management

Define digital resources and ACLs as a graph, and compute permissions in real-time with a single Cypher query.

Vector similarity search

Query vector embeddings to power image search, recommendation engines, and natural language text processing.

Fraud detection

Detect fraud in real time with graph analysis, probabilistic queries, vector search, and stream processing.

Get started

Related news

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2021-32625

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command. On 64 bit systems which have the fixes of CVE-2021-29477 (6.2.3 or 6.0.13), it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907