Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2021-32761

Date: July 21, 2021

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis "*BIT*" command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default "proto-max-bulk-len" configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0."3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the "redis-server"executable is to prevent users from modifying the"proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Language: C

Severity Score

Related Resources (15)

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VGX7RRAWGXWXEAKJTQYSDSBO2BC3SAHD/
https://security.gentoo.org/glsa/202209-17
https://lists.debian.org/debian-lts-announce/2021/08/msg00026.html
https://people.canonical.com/~ubuntu-security/cve/CVE-2021-32761
https://security.alpinelinux.org/vuln/CVE-2021-32761
https://security.netapp.com/advisory/ntap-20210827-0004/
https://lists.debian.org/debian-lts-announce/2021/07/msg00017.html
https://www.debian.org/security/2021/dsa-5001
https://security-tracker.debian.org/tracker/CVE-2021-32761
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6O7AUOROBYGP5IMGJPC5HZ3R2RB6GZ5X/
https://nvd.nist.gov/vuln/detail/CVE-2021-32761
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6O7AUOROBYGP5IMGJPC5HZ3R2RB6GZ5X/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VGX7RRAWGXWXEAKJTQYSDSBO2BC3SAHD/
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
https://www.mend.io/vulnerability-database/CVE-2021-32761

Severity Score

Weakness Type (CWE)

Integer Overflow or Wraparound

CWE-190

Out-of-bounds Read

CWE-125

Integer Overflow to Buffer Overflow

CWE-680

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (AU): SINGLE
Confidentiality (C): PARTIAL
Integrity (I): PARTIAL
Availability (A): PARTIAL
Additional information:

Do you need more information?

Contact Us