#VU97971 Input validation error in Redis - CVE-2024-31227

Cybersecurity Help s.r.o.

Published: 2024-10-02 | Updated: 2024-10-07

Vulnerability identifier: #VU97971

Vulnerability risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-31227

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Redis
Server applications / Database software

Vendor: Redis Labs

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to malformed ACL selectors. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Redis: 7.0.0 - 7.0.15, 7.2.0 - 7.2.5, 7.4.0

External links
https://github.com/redis/redis/releases/tag/7.2.6
https://github.com/redis/redis/releases/tag/7.4.1
https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

APEX Cloud Platform for Microsoft Azure update for third-party components

Fedora 41 update for redict

Fedora EPEL 9 update for redict

Fedora 40 update for redict

Fedora EPEL 8 update for redict

Red Hat Enterprise Linux 9 update for the redis:7 module

SUSE update for redis7

Fedora 40 update for valkey

Fedora 41 update for valkey