CVE-2022-36021

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2022-36021
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36021.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2022-36021
Aliases
Downstream
Related
Published
2023-03-01T15:46:23.567Z
Modified
2026-02-14T19:59:00.347993Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Redis string pattern matching can be abused to achieve Denial of Service
Details

Redis is an in-memory database that persists on disk. Authenticated users can use string matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time. The problem is fixed in Redis versions 6.0.18, 6.2.11, 7.0.9.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-407"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/36xxx/CVE-2022-36021.json"
}
References

Affected packages

Git / github.com/redis/redis

Affected ranges

Type
GIT
Repo
https://github.com/redis/redis
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ebe2e4583fc6b4cd1a8142caa51fa7c8d37d6de3
Introduced
445aa844b946a8f1bc21ac8554b44adb1ecb4018
Fixed
720ea82eab846abc36651d01cc9f8347d4f42f90
Introduced
d375595d5e3ae2e5c29e6c00a2dc3d60578fd9fc
Fixed
86920532f72ff005fcb146c5a02562f9a10b8140

Affected versions

6.*
6.2.0
6.2.1
6.2.10
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.2.9
7.*
7.0.0
7.0.1
7.0.2
7.0.3
7.0.4
7.0.5
7.0.6
7.0.7
7.0.8

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-36021.json"