Vulnerability DatabaseCVE-2024-31228
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2024-31228
October 07, 2024
Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as "KEYS", "SCAN", "PSUBSCRIBE", "FUNCTION LIST", "COMMAND LIST" and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Related Resources (5)
https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0
https://lists.debian.org/debian-lts-announce/2024/11/msg00031.html
https://security.alpinelinux.org/vuln/CVE-2024-31228
https://security-tracker.debian.org/tracker/CVE-2024-31228
https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.8
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
NONE
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Uncontrolled Recursion
CWE-674
EPSS
Base Score:
0.85