Main Vulnerability Database Vulnerabilities #VU13402

Type confusion in Redis - CVE-2018-12453

Published: June 19, 2018 / Updated: June 17, 2021

Vulnerability identifier: #VU13402

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: CVE-2018-12453

CWE-ID: CWE-704

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vendor: Salvatore Sanfilippo

Affected software:
Redis

Detailed vulnerability description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists in the xgroupCommand function due to improper handling of an XGROUP command where the key is not a stream by the xgroupCommand function, as defined in the t_stream.c source code file. A remote attacker can execute an XGROUP command that submits malicious input, trigger a type confusion condition and cause the service to crash.

How to mitigate CVE-2018-12453

Install update from vendor's website.

Sources

https://github.com/antirez/redis/commit/c04082cf138f1f51cedf05ee9ad36fb6763cafc6

Type confusion in Redis - CVE-2018-12453

Detailed vulnerability description

How to mitigate CVE-2018-12453

Sources

Please verify you're human