CVE-2021-29478 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-29478 PUBLISHED CVSS 7.5 HIGH

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis 6.2 before 6.2.3 could be exploited to corrupt the heap and potentially result with remote code execution. Redis 6.0 and earlier are not directly affected by this issue. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `set-max-intset-entries` configuration parameter. This can be done using ACL to restrict unprivileged users from using the `CONFIG SET` command.

EPSS 2.49% · 85.2th percentile

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

2.49%

85.2th percentile

Affected Products

Vendor	Product	Versions
redislabs	redis	6.2.0
fedoraproject	fedora	33, 34
redis	redis	>= 6.2.0, < 6.2.3

Timeline

May 3, 2021 CVE Published
May 5, 2021 EPSS Score
Jul 7, 2021 EPSS Score
Nov 7, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Jan 8, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Apr 1, 2022 EPSS Score
May 10, 2022 EPSS Score
Jul 11, 2022 EPSS Score
Sep 11, 2022 EPSS Score
Jan 12, 2023 EPSS Score

References

https://redis.io/ url
https://github.com/redis/redis/security/advisories/GHSA-qh52-crrg-44g3 url
FEDORA-2021-3b267a756c vendor-advisory
FEDORA-2021-8b19c99d6a vendor-advisory
GLSA-202107-20 vendor-advisory

Open in Interactive Console →