Redis SORT_RO may bypass ACL configuration
CVE-2023-41053

3.3LOW

Key Information:

Vendor: Redis
Status: Redis
Vendor: CVE Published:; 6 September 2023

Summary

Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by SORT_RO and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected Version(s)

redis >= 7.0.0, < 7.0.13 < 7.0.0, 7.0.13

redis >= 7.1.0, < 7.2.1 < 7.1.0, 7.2.1

References

https://github.com/redis/redis/security/advisories/GHSA-q...

x_refsource_CONFIRM

https://github.com/redis/redis/commit/9e505e6cd842338424e...

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 6, 2023
Vulnerability Reserved
Aug 22, 2023