Lucene search

[email protected]CVE-2023-41056

HistoryJan 10, 2024 - 4:15 p.m.

CVE-2023-41056

2024-01-1016:15:46

CWE-762

CWE-190

[email protected]

web.nvd.nist.gov

128

redis

memory buffer

integer overflow

remote code execution

cve-2023-41056

nvd

security patch

redis 7.0.15

redis 7.2.4

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.3 High

AI Score

Confidence

High

0.007 Low

EPSS

Percentile

81.1%

JSON

Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4.

Affected configurations

Vulners

NVD

Node

redisredisRange7.0.9–7.0.15

redisredisRange7.2.0–7.2.4

VendorProductVersionCPE
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
redisredis*cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redis	redis	*	cpe:2.3:a:redis:redis::::::::
redis	redis	*	cpe:2.3:a:redis:redis::::::::

CNA Affected

[
  {
    "vendor": "redis",
    "product": "redis",
    "versions": [
      {
        "version": ">= 7.0.9, < 7.0.15",
        "status": "affected"
      },
      {
        "version": ">= 7.2.0, < 7.2.4",
        "status": "affected"
      }
    ]
  }
]