Headline
CVE-2023-36824: Heap overflow in COMMAND GETKEYS and ACL evaluation
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted COMMAND GETKEYS
or COMMAND GETKEYSANDFLAGS
and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
Impact
Extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to this result:
- Authenticated users executing a specially crafted COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS.
- Authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names.
The problem exists in Redis 7.0 or newer.
Patches
The problem is fixed in Redis 7.0.12.
Credit
The problem was found by Lior Lahav.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the Redis repository
- Email us at [email protected]
Related news
Gentoo Linux Security Advisory 202408-5 - Multiple vulnerabilities have been discovered in Redis, the worst of which may lead to a denial of service or possible remote code execution. Versions greater than or equal to 7.2.4 are affected.
Debian Linux Security Advisory 5610-1 - Multiple security issues were discovered in Redis, a persistent key-value database, which could result in the execution of arbitrary code or ACL bypass.
Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).