Main Vulnerability Database Vulnerabilities #VU31401

#VU31401 Security Features in Redis - CVE-2016-10517

Published: October 24, 2017 / Updated: July 18, 2020

Vulnerability identifier: #VU31401

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-10517

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Redis

Software vendor:
Salvatore Sanfilippo

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting" because it lacks a check for POST and Host: strings, which are not valid in the Redis protocol (but commonly occur when an attack triggers an HTTP request to the Redis TCP port).

Remediation

Install update from vendor's website.

External links

http://www.securityfocus.com/bid/101572
https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/

#VU31401 Security Features in Redis - CVE-2016-10517

Description

Remediation

External links

Please verify you're human