CVE-2021-32626
Summary
| CVE | CVE-2021-32626 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-10-04 18:15:00 UTC |
| Updated | 2023-11-07 03:35:00 UTC |
| Description | Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands. |
Risk And Classification
Problem Types: CWE-787 | CWE-122
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Debian | Debian Linux | 10.0 | All | All | All |
| Operating System | Debian | Debian Linux | 11.0 | All | All | All |
| Operating System | Fedoraproject | Fedora | 33 | All | All | All |
| Operating System | Fedoraproject | Fedora | 34 | All | All | All |
| Operating System | Fedoraproject | Fedora | 35 | All | All | All |
| Application | Netapp | Hci | - | All | All | All |
| Application | Netapp | Management Services For Element Software | - | All | All | All |
| Application | Netapp | Management Services For Element Software And Netapp Hci | - | All | All | All |
| Application | Netapp | Management Services For Netapp Hci | - | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.3 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 4.4 | All | All | All |
| Application | Oracle | Communications Operations Monitor | 5.0 | All | All | All |
| Application | Redis | Redis | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [SECURITY] Fedora 33 Update: redis-6.0.16-1.fc33 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Redis: Multiple Vulnerabilities (GLSA 202209-17) — Gentoo security | GENTOO | security.gentoo.org | |
| [druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3 | lists.apache.org | ||
| [SECURITY] Fedora 33 Update: redis-6.0.16-1.fc33 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Debian -- Security Information -- DSA-5001-1 redis | DEBIAN | www.debian.org | |
| Oracle Critical Patch Update Advisory - April 2022 | MISC | www.oracle.com | |
| [SECURITY] Fedora 35 Update: redis-6.2.6-1.fc35 - package-announce - Fedora Mailing-Lists | FEDORA | lists.fedoraproject.org | |
| Fix invalid memory write on lua stack overflow {CVE-2021-32626} · redis/redis@666ed7f · GitHub | MISC | github.com | |
| October 2021 Redis Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| [SECURITY] Fedora 35 Update: redis-6.2.6-1.fc35 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| [SECURITY] Fedora 34 Update: redis-6.2.6-1.fc34 - package-announce - Fedora Mailing-Lists | lists.fedoraproject.org | ||
| Lua scripts can overflow the heap-based Lua stack · Advisory · redis/redis · GitHub | CONFIRM | github.com | |
| FEDORA-2021-61c487f241 | FEDORA | lists.fedoraproject.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 159435 Oracle Enterprise Linux Security Update for redis:5 (ELSA-2021-3918)
- 159436 Oracle Enterprise Linux Security Update for redis:6 (ELSA-2021-3945)
- 178879 Debian Security Update for redis (DSA 5001-1)
- 178883 Debian Security Update for redis (DLA 2810-1)
- 182394 Debian Security Update for redis (CVE-2021-32626)
- 239688 Red Hat Update for redis:5 (RHSA-2021:3918)
- 239725 Red Hat Update for red hat openstack platform 13.0 (redis) (RHSA-2021:3980)
- 239726 Red Hat Update for red hat openstack platform 10.0 (redis) (RHSA-2021:3971)
- 239727 Red Hat Update for rh-redis5-redis (RHSA-2021:3947)
- 239728 Red Hat Update for redis:5 (RHSA-2021:3946)
- 239731 Red Hat Update for redis:5 (RHSA-2021:3944)
- 239733 Red Hat Update for redis:6 (RHSA-2021:3945)
- 281978 Fedora Security Update for redis (FEDORA-2021-61c487f241)
- 281979 Fedora Security Update for redis (FEDORA-2021-8913c7900c)
- 356248 Amazon Linux Security Advisory for redis : ALASREDIS6-2023-007
- 500601 Alpine Linux Security Update for redis
- 501484 Alpine Linux Security Update for redis
- 501777 Alpine Linux Security Update for redis
- 504356 Alpine Linux Security Update for redis
- 710625 Gentoo Linux Redis Multiple Vulnerabilities (GLSA 202209-17)
- 730746 Redis Server Heap-based Buffer Overflow Vulnerability (GHSA-p486-xggp-782c)
- 751395 OpenSUSE Security Update for redis (openSUSE-SU-2021:3772-1)
- 900347 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (5965)
- 901079 Common Base Linux Mariner (CBL-Mariner) Security Update for redis (6844-1)
- 940139 AlmaLinux Security Update for redis:6 (ALSA-2021:3945)
- 940141 AlmaLinux Security Update for redis:5 (ALSA-2021:3918)
- 960683 Rocky Linux Security Update for redis:6 (RLSA-2021:3945)
- 960717 Rocky Linux Security Update for redis:5 (RLSA-2021:3918)