Huang Zhw

**Name of the Vulnerable Software and Affected Versions** Redis versions 2.2 through 5.0.12 Redis versions 6.0 through 6.0.14 Redis versions 6.2 through 6.2.4 **Description** A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists in Redis. The vulnerability can be exploited to corrupt the heap, leak arbitrary heap contents, or trigger remote code execution. This issue affects Redis on 32-bit platforms or compiled as a 32-bit binary. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands. **Recommendations** For Redis versions 2.2 through 5.0.12, update to version 5.0.13 or later. For Redis versions 6.0 through 6.0.14, update to version 6.0.15 or later. For Redis versions 6.2 through 6.2.4, update to version 6.2.5 or later. As a temporary workaround, prevent users from modifying the `proto-max-bulk-len` configuration parameter by using ACL to restrict unprivileged users from using the CONFIG SET command.