Input validation error in redis (Alpine package)



Published: 2015-06-11
Risk High
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2015-4335
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		redis (Alpine package)
Operating systems & Components / Operating system package or component

Vendor Alpine Linux Development Team

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) Input validation error

EUVDB-ID: #VU33828

Risk: High

CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-4335

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

Mitigation

Install update from vendor's website.

Vulnerable software versions

redis (Alpine package): 2.8.9-r2 - 2.8.17-r0

External links

http://git.alpinelinux.org/aports/commit/?id=616183cdf0ec0ca50add9ff8429f2fcf42f369bc
http://git.alpinelinux.org/aports/commit/?id=ce3b85c17869c6e4d324a05518b23856e650ae99
http://git.alpinelinux.org/aports/commit/?id=767c2e73ddbc57f6b6aa16649bf5a28473b043ee


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###