PT-2024-20758 · Redis · Redisbloom

Ashitaka Akasaka

Published

2024-04-09

Updated

2024-04-10

CVE-2024-25116

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions RedisBloom versions 2.0.0 through 2.4.6 RedisBloom versions 2.6.0 through 2.6.9

Description RedisBloom adds a set of probabilistic data structures to Redis. Authenticated users can use the CF.RESERVE command to trigger a runtime assertion and termination of the Redis server process.

Recommendations For RedisBloom versions 2.0.0 through 2.4.6, update to version 2.4.7 to resolve the issue. For RedisBloom versions 2.6.0 through 2.6.9, update to version 2.6.10 to resolve the issue. As a temporary workaround, consider restricting access to the CF.RESERVE command until a patch is available.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2024-25116

GHSA-WRWQ-CFRX-PMG4

Affected Products

Redisbloom

PT-2024-20758 · Redis · Redisbloom

CVE-2024-25116

Weakness Enumeration

Related Identifiers

Affected Products

References · 6