CVE-2021-21309

Name of the Vulnerable Software and Affected Versions Redis versions 4.0 through 6.1 Redis versions prior to 5.0.11 Redis versions prior to 6.0.11 Redis version 6.2

Description The issue is related to an integer overflow bug in 32-bit Redis versions 4.0 or newer, which could be exploited to corrupt the heap and potentially result in remote code execution. By default, authenticated Redis users have access to all configuration parameters and can change the safe default, making the system vulnerable. This problem only affects 32-bit Redis. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited.

Recommendations For Redis versions 4.0 through 6.1, update to version 6.2 or newer. For Redis versions prior to 5.0.11, update to version 5.0.11 or newer. For Redis versions prior to 6.0.11, update to version 6.0.11 or newer. As a temporary workaround, consider preventing clients from directly executing CONFIG SET by using ACL configuration to block the command in Redis 6.0 or newer, or by using the rename-command configuration directive to rename the command to a random string unknown to users in older versions.