Integer overflow in multiple Redis commands can lead to denial-of-service
CVE-2023-22458
5.5MEDIUM
What is CVE-2023-22458?
Redis is an in-memory database that persists on disk. Authenticated users can issue a HRANDFIELD
or ZRANDMEMBER
command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected Version(s)
redis >= 6.2, < 6.2.9 < 6.2, 6.2.9
redis >= 7.0, < 7.0.8 < 7.0, 7.0.8
References
EPSS Score
66% chance of being exploited in the next 30 days.
CVSS V3.1
Score:
5.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved