PT-2024-20757 · Redis · Redisbloom

Ashitaka Akasaka

Published

2024-04-09

Updated

2024-04-10

CVE-2024-25115

Report an issue

CVSS v3.1

7.0

Vector

AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions:

RedisBloom versions 2.0.0 through 2.4.6

RedisBloom versions 2.6.0 through 2.6.9

Description:

RedisBloom adds a set of probabilistic data structures to Redis. Specially crafted `CF.LOADCHUNK` commands may be used by authenticated users to perform heap overflow, which may lead to remote code execution.

Recommendations:

For RedisBloom versions 2.0.0 through 2.4.6, update to version 2.4.7 to resolve the issue.

For RedisBloom versions 2.6.0 through 2.6.9, update to version 2.6.10 to resolve the issue.

As a temporary workaround, consider restricting access to the `CF.LOADCHUNK` command to minimize the risk of exploitation.

Fix

Heap Based Buffer Overflow

Buffer Overflow

Weakness Enumeration

CWE-122CWE-120

Related Identifiers

CVE-2024-25115

GHSA-W583-P2WH-4VJ5

Affected Products

Redisbloom

PT-2024-20757 · Redis · Redisbloom

Weakness Enumeration

Related Identifiers

Affected Products

References · 5