CVE Vulnerability

CVE-2023-22458

Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

5.5 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj Third Party Advisory
https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02 Patch Third Party Advisory
https://github.com/redis/redis/releases/tag/6.2.9 Release Notes Third Party Advisory
https://github.com/redis/redis/releases/tag/7.0.8 Release Notes Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*
Information

Published : 2023-01-20 07:15

Updated : 2023-02-02 02:23

NVD link : CVE-2023-22458

Mitre link : CVE-2023-22458

Products Affected
No products.
CWE
CWE-190