CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CVSS v3 7.5 HIGH
CVSS v2.0 6.5 MEDIUM

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c	Third Party Advisory
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory
https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c	Third Party Advisory
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*

History

21 Nov 2024, 06:07

Type	Values Removed	Values Added
CVSS	v2 : ~~6.5~~ v3 : ~~8.8~~	v2 : 6.5 v3 : 7.5
References	~~() https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 - Patch, Third Party Advisory~~	() https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 - Patch, Third Party Advisory
References	~~() https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c - Third Party Advisory~~	() https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c - Third Party Advisory
References	~~() https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E -~~	() https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -
References	~~() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -~~	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -
References	~~() https://security.gentoo.org/glsa/202209-17 - Third Party Advisory~~	() https://security.gentoo.org/glsa/202209-17 - Third Party Advisory
References	~~() https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory~~	() https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory
References	~~() https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory~~	() https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory
References	~~() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory~~	() https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory

Information

Published : 2021-10-04 18:15

Updated : 2024-11-21 06:07

NVD link : CVE-2021-32626

Mitre link : CVE-2021-32626

CVE.ORG link : CVE-2021-32626

JSON object : View

Products Affected

debian

debian_linux

oracle

communications_operations_monitor

netapp

management_services_for_element_software
management_services_for_netapp_hci

fedoraproject

fedora

redis

redis

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

7.5 /10