Potential heap overflow in Redis
CVE-2022-31144

7HIGH

Key Information:

Vendor
Redis
Status
Redis
Vendor
CVE Published:
19 July 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

Redis is an in-memory database that persists on disk. A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. This problem affects versions on the 7.x branch prior to 7.0.4. The patch is released in version 7.0.4.

Affected Version(s)

redis >= 7.0.0, < 7.0.4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-31144
Created by SpiralBL0CK

References

https://github.com/redis/redis/security/advisories/GHSA-9...
x_refsource_CONFIRM
https://github.com/redis/redis/releases/tag/7.0.4
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20220909-0002/
x_refsource_CONFIRM

EPSS Score

8% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.