Denial of service in Redis



Published: 2023-02-28 | Updated: 2023-03-01
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2022-36021
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		Redis
Server applications / Database software

Vendor Redis Labs

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU72634

Risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-36021

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources when matching commands (like SCAN or KEYS) with a specially crafted pattern. A remote user can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Redis: 6.0.0 - 7.0.8

External links

http://github.com/redis/redis/security/advisories/GHSA-jr7j-rfj5-8xqv
http://github.com/redis/redis/releases/tag/6.0.18
http://github.com/redis/redis/releases/tag/7.0.9
http://github.com/redis/redis/releases/tag/6.2.11


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###