CVE-2021-29478
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-29478
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-29478.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-29478
- Aliases
-
- GHSA-qh52-crrg-44g3
- Related
- Published
- 2021-05-04T16:15:07Z
- Modified
- 2024-10-12T07:13:01.147743Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the
redis-serverexecutable is to prevent users from modifying theset-max-intset-entriesconfiguration parameter. This can be done using ACL to restrict unprivileged users from using theCONFIG SETcommand. - References
-
- https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3
- https://security.gentoo.org/glsa/202107-20
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZJ6JGQ2ETZB2DWTQSGCOGG7EF3ILV4V/
- https://redis.io/
- https://security-tracker.debian.org/tracker/CVE-2021-29478
Affected packages
Debian:11 / redis
Package
- Name
- redis
- Purl
- pkg:deb/debian/redis?arch=source
Debian:12 / redis
Package
- Name
- redis
- Purl
- pkg:deb/debian/redis?arch=source
Debian:13 / redis
Package
- Name
- redis
- Purl
- pkg:deb/debian/redis?arch=source