Headline

CVE-2023-28425: Specially crafted MSETNX command can lead to denial-of-service

Redis is an in-memory database that persists on disk. Starting in version 7.0.8 and prior to version 7.0.10, authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process. The problem is fixed in Redis version 7.0.10.

1 year ago

CVE

Open in Source

#dos #redis #auth

Moderate

oranagra published GHSA-mvmm-4vq6-vw8c

Mar 20, 2023

Affected versions

>= 7.0.8

Description

Impact

Authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

Patches

The problem is fixed in Redis versions 7.0.10.

Credit

The issue has been identified by Yupeng Yang.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Redis repository
Email us at [email protected]

Severity

CVSS base metrics

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Gentoo Linux Security Advisory 202408-5 - Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Versions greater than or equal to 7.2.4 are affected.

3 months ago

Packet Storm

Open in Source

#vulnerability #web #mac #linux #dos #redis #rce