Remote Code Execution (RCE)

2022-09-2406:58:38

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

redis

rce

vulnerability

integer overflow

xautoclaim

command

malicious code

0.029 Low

EPSS

Percentile

90.8%

JSON

Redis is vulnerable to remote code execution. The vulnerability exists due to an integer overflow when executing an XAUTOCLAIM command on a stream key in a specific state, with a specially crafted COUNT argument allowing an attacker to inject maliciously crafted code into the system.

CPENameOperatorVersion
redis:3.16eq6.2.7-r0
redis:3.16eq7.0.2-r0
redis:3.16eq7.0.0-r0
redis:3.16eq6.2.6-r0
redis:3.16eq7.0.4-r1
redis:3.16eq7.0.4-r0
redis:edgeeq6.2.6-r0
redis:edgeeq7.0.3-r0
redis:edgeeq6.2.3-r0
redis:edgeeq7.0.2-r0

Name	Operator	Version
redis:3.16	eq	6.2.7-r0
redis:3.16	eq	7.0.2-r0
redis:3.16	eq	7.0.0-r0
redis:3.16	eq	6.2.6-r0
redis:3.16	eq	7.0.4-r1
redis:3.16	eq	7.0.4-r0
redis:edge	eq	6.2.6-r0
redis:edge	eq	7.0.3-r0
redis:edge	eq	6.2.3-r0
redis:edge	eq	7.0.2-r0