Redis Vulnerability Leads to Assertion Failure via Non-Administrative Commands
CVE-2021-31294

5.9MEDIUM

Key Information:

Vendor

Redis

Status
Redis
Vendor
CVE Published:
15 July 2023

What is CVE-2021-31294?

A vulnerability has been identified in Redis that allows a replica to induce an assertion failure in the primary server by issuing non-administrative commands, specifically the SET command. This flaw affects Redis versions prior to 6.2.x. The issue arose from a lack of intended safety guarantees in earlier versions, making systems running outdated software particularly susceptible. A fix was introduced in Redis versions 6.2.x and 7.x to address this critical concern.

References

https://github.com/redis/redis/issues/8712
https://github.com/redis/redis/commit/6cbea7d29b528569284...
https://github.com/redis/redis/commit/46f4ebbe842620f0976...

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2021-31294 : Redis Vulnerability Leads to Assertion Failure via Non-Administrative Commands