VDB
CVE-2020-14147
CVE-2020-14147
PUBLISHED
An integer overflow in the getnum function in lua_struct.c in Redis before 6.0.3 allows context-dependent attackers with permission to run Lua code in a Redis session to cause a denial of service (memory corruption and application crash) or possibly bypass intended sandbox restrictions via a large number, which triggers a stack-based buffer overflow. NOTE: this issue exists because of a CVE-2015-8080 regression.
EPSS 0.42% · 61.9th percentile
Risk Scores
EPSS Score
0.42%
61.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:Pro:20.04:LTS | redis | 5:5.0.5-2build1, 5:5.0.6-1, 5:5.0.7-1 |
Timeline
- Jun 15, 2020 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 22, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 27, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jul 2, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2020-14147 third-party-advisory
- https://github.com/antirez/redis/pull/6875 third-party-advisory
- https://github.com/antirez/redis/commit/ef764dde1cca2f25d00686673d1bc89448819571 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2020-14147 third-party-advisory