CVE-2021-29477

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-29477

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29477.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-29477

Aliases

GHSA-vqxj-26vj-996g

Related

Published

2021-05-04T16:15:07Z

Modified

2024-10-12T07:13:29.017545Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3 and 6.0.13. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command.

References

Affected packages

Alpine:v3.13 / redis

Package

Name: redis
Purl: pkg:apk/alpine/redis?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

6.0.13-r0

Affected versions

2.*

2.4.14-r0

2.4.14-r1

2.4.14-r2

2.4.16-r0

2.6.16-r0

2.6.17-r0

2.8.9-r0

2.8.9-r1

2.8.9-r2

2.8.10-r0

2.8.11-r0

2.8.12-r0

2.8.13-r0

2.8.14-r0

2.8.17-r0

2.8.19-r0

3.*

3.0.0-r0

3.0.0-r1

3.0.1-r0

3.0.2-r0

3.0.3-r0

3.0.4-r0

3.0.5-r0

3.0.5-r1

3.0.6-r0

3.0.7-r0

3.0.7-r1

3.2.0-r0

3.2.1-r0

3.2.3-r0

3.2.4-r0

3.2.5-r0

3.2.7-r0

3.2.8-r0

3.2.9-r0

4.*

4.0.2-r0

4.0.2-r1

4.0.5-r0

4.0.6-r0

4.0.8-r0

4.0.9-r0

4.0.9-r1

4.0.9-r2

4.0.10-r0

4.0.10-r1

4.0.11-r0

4.0.12-r0

4.0.13-r0

5.*

5.0.4-r0

5.0.5-r0

5.0.7-r0

5.0.8-r0

5.0.9-r0

6.*

6.0.1-r0

6.0.4-r0

6.0.5-r0

6.0.9-r0

6.0.10-r0

6.0.11-r0

Debian:11 / redis

Package

Name: redis
Purl: pkg:deb/debian/redis?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5:6.0.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / redis

Package

Name: redis
Purl: pkg:deb/debian/redis?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5:6.0.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / redis

Package

Name: redis
Purl: pkg:deb/debian/redis?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5:6.0.13-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/antirez/redis

Affected ranges

Type: GIT
Repo: https://github.com/antirez/redis
Events: Introduced

17dfd7cabbf7954f92b7a1243d4bb27fee5d4500

Fixed

68e93c22c3b5844cedb5b586c1ffb5c4c1ae364b

Type: GIT
Repo: https://github.com/redis/redis
Events: Introduced

445aa844b946a8f1bc21ac8554b44adb1ecb4018

Fixed

e90e5640e7840860bc6726a08135ea86687bbd58

Affected versions

6.*

6.0.0

6.0.1

6.0.10

6.0.11

6.0.12

6.0.2

6.0.3

6.0.4

6.0.5

6.0.6

6.0.7

6.0.8

6.0.9

6.2.0

6.2.1

6.2.2