CVE-2024-31227

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CVSS v3 4.4 MEDIUM

4.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298a
https://github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhh

Configurations

No configuration.

History

10 Oct 2024, 12:57

Type	Values Removed	Values Added
Summary		(es) Redis es una base de datos de código abierto en memoria que persiste en el disco. Un usuario autenticado con privilegios suficientes puede crear un selector de ACL mal formado que, cuando se accede a él, desencadena un pánico del servidor y la consiguiente denegación de servicio. El problema existe en Redis 7 anterior a las versiones 7.2.6 y 7.4.1. Se recomienda a los usuarios que actualicen la versión. No existen workarounds conocidas para esta vulnerabilidad.

07 Oct 2024, 20:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-10-07 20:15

Updated : 2024-10-10 12:57

NVD link : CVE-2024-31227

Mitre link : CVE-2024-31227

CVE.ORG link : CVE-2024-31227

JSON object : View

Products Affected

No product.

CWE

CWE-20

Improper Input Validation

4.4 /10