PT-2021-2993 · Redis+4 · Redis+4

Oranagrapu

Published

2021-05-04

Updated

2024-06-15

CVE-2021-29477

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Redis versions 6.0 through 6.2.2 Redis versions 6.0 through 6.0.12

Description The issue is related to an integer overflow bug in Redis that can be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. This can allow a remote attacker to execute arbitrary code.

Recommendations For Redis versions 6.0 through 6.2.2, update to version 6.2.3 or later. For Redis versions 6.0 through 6.0.12, update to version 6.0.13 or later. As a temporary workaround, consider using ACL configuration to prevent clients from using the STRALGO LCS command until a patch is applied.

Fix

RCE

Integer Overflow

Out of bounds Read

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-190CWE-125CWE-787

Related Identifiers

BDU:2021-02583

CESA-2021_2034

CVE-2021-29477

GHSA-VQXJ-26VJ-996G

MGASA-2021-0373

OESA-2022-1883

OPENSUSE-SU-2021:0682-1

OPENSUSE-SU-2021_0682-1

OPENSUSE-SU-2024:11299-1

RHSA-2021:2034

RHSA-2021_2034

RLSA-2021:2034

SUSE-SU-2021:1652-1

Affected Products

Centos

Red Hat

Redis

Rocky Linux

Suse

PT-2021-2993 · Redis+4 · Redis+4

CVE-2021-29477

Weakness Enumeration

Related Identifiers

Affected Products

References · 60