PT-2023-3517 · Redis +10 · Redis +10

Yossigo

Published

2023-04-18

Updated

2025-02-13

CVE-2023-28856

Report an issue

CVSS v2.0

6.8

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions:

Redis versions prior to 6.0.19

Redis versions prior to 6.2.12

Redis versions prior to 7.0.11

Description:

The issue is related to insufficient input validation in the Redis database management system. Exploitation of this issue can allow a remote attacker to cause a denial of service. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access.

Recommendations:

For versions prior to 6.0.19, upgrade to version 6.0.19 or later.

For versions prior to 6.2.12, upgrade to version 6.2.12 or later.

For versions prior to 7.0.11, upgrade to version 7.0.11 or later.

As a temporary workaround, consider restricting access to the `HINCRBYFLOAT` command until a patch is applied.

Exploit

Fix

RCE

Assertion Failure

Weakness Enumeration

CWE-20CWE-617

Related Identifiers

ALSA-2025:0595

ALT-PU-2023-5229

ALT-PU-2023-5230

ALT-PU-2023-5487

BDU:2023-03722

BIT-KEYDB-2023-28856

BIT-REDIS-2023-28856

BIT-VALKEY-2023-28856

CESA-2025_0595

CVE-2023-28856

DLA-3396-1

DLA-3885-1

GHSA-HJV8-VJF6-WCR6

INFSA-2025_0595

MGASA-2023-0156

OPENSUSE-SU-2023_2925-1

OPENSUSE-SU-2024:12874-1

RHSA-2025:0595

RHSA-2025_0595

RLSA-2025:0595

ROSA-SA-2023-2174

SUSE-SU-2023:2122-1

SUSE-SU-2023:2925-1

SUSE-SU-2023:3407-1

SUSE-SU-2023_2925-1

USN-6531-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Red Hat

Red Os

Redis

Rocky Linux

Suse

Ubuntu

PT-2023-3517 · Redis +10 · Redis +10

Weakness Enumeration

Related Identifiers

Affected Products

References · 155