CVE-2021-32761

Published on: 07/21/2021 12:00:00 AM UTC

Last Modified on: 07/22/2021 12:15:00 PM UTC

CVE-2021-32761 - advisory for GHSA-8wxq-j7rp-g8wj

Source: Mitre Source: Nist Print: PDF PDF
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Certain versions of Redis from Redis contain the following vulnerability:

Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read and integer overflow to buffer overflow exists starting with version 2.2 and prior to versions 5.0.13, 6.0.15, and 6.2.5. On 32-bit systems, Redis `*BIT*` command are vulnerable to integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves changing the default `proto-max-bulk-len` configuration parameter to a very large value and constructing specially crafted commands bit commands. This problem only affects Redis on 32-bit platforms, or compiled as a 32-bit binary. Redis versions 5.0.`3m 6.0.15, and 6.2.5 contain patches for this issue. An additional workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

  • CVE-2021-32761 has been assigned by URL Logo [email protected] to track the vulnerability
  • Affected Vendor/Software: URL Logo redis - redis version >= 2.2, < 5.0.13
  • Affected Vendor/Software: URL Logo redis - redis version >= 6.0.0, < 6.0.15
  • Affected Vendor/Software: URL Logo redis - redis version >= 6.2.0, < 6.2.5

CVE References

Description Tags Link
Integer overflow issues with BITFIELD command on 32-bit systems · Advisory · redis/redis · GitHub github.com
text/html
URL Logo CONFIRM github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj
[SECURITY] [DLA 2717-1] redis security update lists.debian.org
text/html
URL Logo MLIST [debian-lts-announce] 20210722 [SECURITY] [DLA 2717-1] redis security update

Related QID Numbers

  • 178718 Debian Security Update for redis (DLA 2717-1)

Known Affected Software

Vendor Product Version
Redis redis >= 2.2, < 5.0.13
Redis redis >= 6.0.0, < 6.0.15
Redis redis >= 6.2.0, < 6.2.5

Social Mentions

Source Title Posted (UTC)
Twitter Icon @CVEreport CVE-2021-32761 : Redis is an in-memory database that persists on disk. A vulnerability involving out-of-bounds read… twitter.com/i/web/status/1… 2021-07-21 20:56:17
Twitter Icon @LinInfoSec Redis - CVE-2021-32761: github.com/redis/redis/se… 2021-07-21 22:35:18
Twitter Icon @the_yellow_fall CVE-2021-32761: Redis remote code execution vulnerability alert meterpreter.org/cve-2021-32761… #info #news #tech 2021-07-22 09:16:53
Twitter Icon @coocoor Multiple versions of Redis vulnerable to Remote Code Execution. coocoor.io/advisory/CVE-2… #CyberSecurity… twitter.com/i/web/status/1… 2021-07-22 21:46:00
Twitter Icon @morodog #News CVE-2021-32761: Redis remote code execution vulnerability alert: On July 21, 2021, Redis officially issued a… twitter.com/i/web/status/1… 2021-07-23 09:26:04
Twitter Icon @morodog CVE-2021-32761: Redis remote code execution vulnerability alert: On July 21, 2021, Redis officially issued a risk n… twitter.com/i/web/status/1… 2021-07-23 13:28:03
Reddit Logo Icon /r/netcve CVE-2021-32761 2021-07-21 21:38:19
Reddit Logo Icon /r/msp Does CVE-2021-32761 only affect windows platform 2021-07-22 05:25:50
© CVE.report 2021 Twitter Nitter Twitter Viewer |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report