CVE-2023-22458

medium

Description

Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References

https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj

https://github.com/redis/redis/releases/tag/7.0.8

https://github.com/redis/redis/releases/tag/6.2.9

https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02

Details

Source: Mitre, NVD

Published: 2023-01-20

Updated: 2023-02-02

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C

Severity: Medium

CVSS v3

Base Score: 5.5

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Severity: Medium