Redis Vulnerability Leads to Assertion Failure via Non-Administrative Commands
CVE-2021-31294

5.9MEDIUM

Key Information:

Vendor: Redis
Status: Redis
Vendor: CVE Published:; 15 July 2023

Summary

A vulnerability has been identified in Redis that allows a replica to induce an assertion failure in the primary server by issuing non-administrative commands, specifically the SET command. This flaw affects Redis versions prior to 6.2.x. The issue arose from a lack of intended safety guarantees in earlier versions, making systems running outdated software particularly susceptible. A fix was introduced in Redis versions 6.2.x and 7.x to address this critical concern.

References

https://github.com/redis/redis/issues/8712

https://github.com/redis/redis/commit/6cbea7d29b528569284...

https://github.com/redis/redis/commit/46f4ebbe842620f0976...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jul 15, 2023
Vulnerability Reserved
Apr 15, 2021