CVE-2021-32627 Integer overflow issue with Streams in Redis

2021-10-0417:35:16

CWE-190

CWE-680

GitHub_M

www.cve.org

redis

integer overflow

remote code execution

configuration parameters

acl

heap corruption

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.5

Confidence

High

EPSS

0.005

Percentile

77.4%

JSON

Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

CNA Affected

[
  {
    "product": "redis",
    "vendor": "redis",
    "versions": [
      {
        "status": "affected",
        "version": ">= 5.0.0, < 5.0.14"
      },
      {
        "status": "affected",
        "version": ">= 6.0.0, < 6.0.16"
      },
      {
        "status": "affected",
        "version": ">= 6.2.0, < 6.2.6"
      }
    ]
  }
]