CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
75.8%
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to
7.0.12, extracting key names from a command and a list of arguments may, in
some cases, trigger a heap overflow and result in reading random heap
memory, heap corruption and potentially remote code execution. Several
scenarios that may lead to authenticated users executing a specially
crafted COMMAND GETKEYS
or COMMAND GETKEYSANDFLAGS
and authenticated
users who were set with ACL rules that match key names, executing a
specially crafted command that refers to a variadic list of key names. The
vulnerability is patched in Redis 7.0.12.