CVE-2021-32626

Published: Oct 4, 2021Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Affected (13)

Products: Redis: Redis · Fedoraproject: Fedora · Netapp: Management Services For Element Software, Management Services For Netapp Hci · +2 more

Show all products

Redis: Redis · Fedoraproject: Fedora · Netapp: Management Services For Element Software, Management Services For Netapp Hci · Debian: Debian Linux · Oracle: Communications Operations Monitor

1 product

1 product

2 products

Management Services For Element Software

Management Services For Netapp Hci

1 product

1 product

Communications Operations Monitor

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Redis Redis	From 2.6 to 5.0.14
Redis Redis	From 6.0.0 to 6.0.16
Redis Redis	From 6.2.0 to 6.2.6

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 33
Fedoraproject Fedora	Version 34
Fedoraproject Fedora	Version 35

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Netapp Management Services For Element Software	All versions
Netapp Management Services For Netapp Hci	All versions

Configuration D

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 11.0

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Oracle Communications Operations Monitor	Version 4.3
Oracle Communications Operations Monitor	Version 4.4
Oracle Communications Operations Monitor	Version 5.0

Related CWEs

Heap-based Buffer Overflow

A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Out-of-bounds Write

The product writes data past the end, or before the beginning, of the intended buffer.

References (20)

https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c

Source: security-advisories@github.com

Third Party Advisory

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/

Source: security-advisories@github.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/

Source: security-advisories@github.com

https://security.gentoo.org/glsa/202209-17

Source: security-advisories@github.com

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211104-0003/

Source: security-advisories@github.com

Third Party Advisory

https://www.debian.org/security/2021/dsa-5001

Source: security-advisories@github.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: security-advisories@github.com

PatchThird Party Advisory

https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/202209-17

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security.netapp.com/advisory/ntap-20211104-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.debian.org/security/2021/dsa-5001

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.oracle.com/security-alerts/cpuapr2022.html

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

Timeline

No history available yet.