CVE-2022-36021

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-36021
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36021.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-36021
Aliases
Downstream
Related
Published
2023-03-01T15:46:23.567Z
Modified
2026-06-18T04:08:27.611142658Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Redis string pattern matching can be abused to achieve Denial of Service
Details

Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36021.json",
    "cwe_ids": [
        "CWE-407"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/redis/redis

Affected ranges

Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ebe2e4583fc6b4cd1a8142caa51fa7c8d37d6de3
Introduced
445aa844b946a8f1bc21ac8554b44adb1ecb4018
Fixed
720ea82eab846abc36651d01cc9f8347d4f42f90
Introduced
d375595d5e3ae2e5c29e6c00a2dc3d60578fd9fc
Fixed
86920532f72ff005fcb146c5a02562f9a10b8140
Fixed
dcbfcb916ca1a269b3feef86ee86835294758f84
Database specific 
{
    "cpe": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*",
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "6.0.18"
        },
        {
            "introduced": "6.2.0"
        },
        {
            "fixed": "6.2.11"
        },
        {
            "introduced": "7.0.0"
        },
        {
            "fixed": "7.0.9"
        }
    ]
}

Affected versions

1.*
1.3.6
2.*
2.2-alpha0
2.2-alpha1
2.2-alpha2
2.2-alpha3
2.2-alpha4
2.2-alpha5
2.2-alpha6
2.2.0-rc1
2.3-alpha0
6.*
6.0-rc1
6.0-rc2
6.0-rc3
6.0-rc4
6.0.0
6.0.1
6.0.10
6.0.11
6.0.12
6.0.13
6.0.14
6.0.15
6.0.16
6.0.17
6.0.2
6.0.3
6.0.4
6.0.5
6.0.6
6.0.7
6.0.8
6.0.9
6.2.0
6.2.1
6.2.10
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.2.9
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8
v1.*
v1.3.10
v1.3.11
v1.3.7
v1.3.8
v1.3.9
v2.*
v2.0.0-rc1
v2.1.1-watch
Other
vm-playpen

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36021.json"