SB2024100272 - Multiple vulnerabilities in Redis
Published: October 2, 2024 Updated: October 7, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Stack-based buffer overflow (CVE-ID: CVE-2024-31449)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing untrusted input. A remote user with ability to influence data input can pass a specially crafted Lua script to the database, trigger a stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Input validation error (CVE-ID: CVE-2024-31227)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to malformed ACL selectors. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
3) Input validation error (CVE-ID: CVE-2024-31228)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to due to unbounded pattern matching. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/redis/redis/releases/tag/7.2.6
- https://github.com/redis/redis/releases/tag/7.4.1
- https://github.com/redis/redis/releases/tag/6.2.16
- https://github.com/redis/redis/security/advisories/GHSA-whxg-wx83-85p5
- https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh
- https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976