← Back

CVE-2021-32627

nvd nist
Published: Oct 4, 2021Modified: Nov 21, 2024

JSON object

Loading...
7.5
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Exploitability: 1.6 / Impact: 5.9
Source: NVD

Description

Redis is an open source, in-memory database that persists on disk. In affected versions an integer overflow bug in Redis can be exploited to corrupt the heap and potentially result with remote code execution. The vulnerability involves changing the default proto-max-bulk-len and client-query-buffer-limit configuration parameters to very large values and constructing specially crafted very large stream elements. The problem is fixed in Redis 6.2.6, 6.0.16 and 5.0.14. For users unable to upgrade an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from modifying the proto-max-bulk-len configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Affected (13)

Products: Redis: Redis · Fedoraproject: Fedora · Debian: Debian Linux · +2 more
Show all products
Redis: Redis · Fedoraproject: Fedora · Debian: Debian Linux · Netapp: Management Services For Element Software, Management Services For Netapp Hci · Oracle: Communications Operations Monitor
Redis
1 product
Redis
Fedoraproject
1 product
Fedora
Debian
1 product
Debian Linux
Netapp
2 products
Management Services For Element Software
Management Services For Netapp Hci
Oracle
1 product
Communications Operations Monitor
Configuration A
3 vulnerable
Vulnerable SoftwareAffected Versions
Redis
Redis
From 5.0.0 to 5.0.14
Redis
From 6.0.0 to 6.0.16
Redis
From 6.2.0 to 6.2.6
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Fedoraproject
Fedora
Version 33
Fedora
Version 34
Fedora
Version 35
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Debian
Debian Linux
Version 10.0
Debian Linux
Version 11.0
Configuration D
2 vulnerable
Vulnerable SoftwareAffected Versions
Management Services For Element Software
All versions
Management Services For Netapp Hci
All versions
Configuration E
3 vulnerable
Vulnerable SoftwareAffected Versions
Oracle
Communications Operations Monitor
Version 4.3
Communications Operations Monitor
Version 4.4
Communications Operations Monitor
Version 5.0

Related CWEs

CWE-190
Integer Overflow or Wraparound
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-680
Integer Overflow to Buffer Overflow
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.

References (18)

Source: security-advisories@github.com
PatchThird Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
Third Party Advisory
Source: security-advisories@github.com
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
PatchThird Party Advisory

Timeline

No history available yet.