CVE-2021-32761

Name of the Vulnerable Software and Affected Versions Redis versions 2.2 through 5.0.12 Redis versions 6.0 through 6.0.14 Redis versions 6.2 through 6.2.4

Description A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists in Redis. The vulnerability can be exploited to corrupt the heap, leak arbitrary heap contents, or trigger remote code execution. This issue affects Redis on 32-bit platforms or compiled as a 32-bit binary. The vulnerability involves changing the default proto-max-bulk-len configuration parameter to a very large value and constructing specially crafted commands.

Recommendations For Redis versions 2.2 through 5.0.12, update to version 5.0.13 or later. For Redis versions 6.0 through 6.0.14, update to version 6.0.15 or later. For Redis versions 6.2 through 6.2.4, update to version 6.2.5 or later. As a temporary workaround, prevent users from modifying the proto-max-bulk-len configuration parameter by using ACL to restrict unprivileged users from using the CONFIG SET command.