Lucene search

PRIOn knowledge basePRION:CVE-2023-28856

HistoryApr 18, 2023 - 9:15 p.m.

Command injection

2023-04-1821:15:00

PRIOn knowledge base

www.prio-n.com

redis

command injection

vulnerability

versions

upgrade

nvd

6.5 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.5%

JSON

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

CPENameOperatorVersion
debian_linuxeq10.0
fedoraeq36
fedoraeq37
fedoraeq38
redisge7.0.0
redislt7.0.11
redisge6.2.0
redislt6.2.12
redislt6.0.19

Name	Operator	Version
debian_linux	eq	10.0
fedora	eq	36
fedora	eq	37
fedora	eq	38
redis	ge	7.0.0
redis	lt	7.0.11
redis	ge	6.2.0
redis	lt	6.2.12
redis	lt	6.0.19

References

github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c

github.com/redis/redis/pull/11149

github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6

lists.debian.org/debian-lts-announce/2023/04/msg00023.html

lists.fedoraproject.org/archives/list/[email protected]/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/

lists.fedoraproject.org/archives/list/[email protected]/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/

lists.fedoraproject.org/archives/list/[email protected]/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/

security.netapp.com/advisory/ntap-20230601-0007/