CVE-2023-36824
Heap overflow in COMMAND GETKEYS and ACL evaluation in Redis
In short
Redis has a memory overflow bug when processing certain commands that extract key names. An authenticated attacker can send specially crafted commands to crash the database, leak sensitive data, or potentially execute code.
Technical detail
A heap buffer overflow exists in Redis 7.0 prior to 7.0.12 in the key name extraction logic used by COMMAND GETKEYS, COMMAND GETKEYSANDFLAGS, and ACL key matching. Authenticated users can trigger this vulnerability via variadic key name arguments, leading to heap corruption, information disclosure, and potential remote code execution.
Summary generated and translated by AI from the official description.
Redis is an in-memory database that persists on disk. In Redit 7.0 prior to 7.0.12, extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. Several scenarios that may lead to authenticated users executing a specially crafted `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS`and authenticated users who were set with ACL rules that match key names, executing a specially crafted command that refers to a variadic list of key names. The vulnerability is patched in Redis 7.0.12.
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
redis · redisWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/redis/redis/releases/tag/7.0.12https://github.com/redis/redis/security/advisories/GHSA-4cfx-h9gq-xpx3https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MIF5MAGYARYUMRFK7PQI7HYXMK2HZE5T/https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TDNNH2ONMVNBQ6LUIAOAGDNFPKXNST5K/https://security.netapp.com/advisory/ntap-20230814-0009/