{"api_version":"1","generated_at":"2026-04-23T06:21:28+00:00","cve":"CVE-2023-28856","urls":{"html":"https://cve.report/CVE-2023-28856","api":"https://cve.report/api/cve/CVE-2023-28856.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-28856","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-28856"},"summary":{"title":"CVE-2023-28856","description":"Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.","state":"PUBLIC","assigner":"security-advisories@github.com","published_at":"2023-04-18 21:15:00","updated_at":"2023-06-01 14:15:00"},"problem_types":["CWE-617"],"metrics":[],"references":[{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 37 Update: redis-7.0.11-1.fc37 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 38 Update: redis-7.0.11-1.fc38 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6","name":"https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6","refsource":"MISC","tags":[],"title":"HINCRBYFLOAT can be used to crash a redis-server process · Advisory · redis/redis · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html","name":"https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html","refsource":"MISC","tags":[],"title":"[SECURITY] [DLA 3396-1] redis security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/","refsource":"MISC","tags":[],"title":"[SECURITY] Fedora 36 Update: redis-6.2.12-1.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c","name":"https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c","refsource":"MISC","tags":[],"title":"fix hincrbyfloat not to create a key if the new value is invalid (#11… · redis/redis@bc7fe41 · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20230601-0007/","name":"https://security.netapp.com/advisory/ntap-20230601-0007/","refsource":"MISC","tags":[],"title":"CVE-2023-28856 Redis Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/redis/redis/pull/11149","name":"https://github.com/redis/redis/pull/11149","refsource":"MISC","tags":[],"title":"fix hincrbyfloat not to create a key if the new value is invalid by chendq8 · Pull Request #11149 · redis/redis · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-28856","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-28856","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"28856","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"10.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28856","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28856","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"37","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28856","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"38","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2023","cve_id":"28856","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redis","cpe5":"redis","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-28856","qid":"181746","title":"Debian Security Update for redis (DLA 3396-1)"},{"cve":"CVE-2023-28856","qid":"184239","title":"Debian Security Update for redis (CVE-2023-28856)"},{"cve":"CVE-2023-28856","qid":"199978","title":"Ubuntu Security Notification for Redis Vulnerabilities (USN-6531-1)"},{"cve":"CVE-2023-28856","qid":"283943","title":"Fedora Security Update for redis (FEDORA-2023-5b6510a584)"},{"cve":"CVE-2023-28856","qid":"283944","title":"Fedora Security Update for redis (FEDORA-2023-04239b5758)"},{"cve":"CVE-2023-28856","qid":"284169","title":"Fedora Security Update for redis (FEDORA-2023-e4e3393396)"},{"cve":"CVE-2023-28856","qid":"355163","title":"Amazon Linux Security Advisory for redis6 : ALAS2023-2023-164"},{"cve":"CVE-2023-28856","qid":"691163","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for redis (96b2d4db-ddd2-11ed-b6ea-080027f5fec9)"},{"cve":"CVE-2023-28856","qid":"906881","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for redis (26267-1)"},{"cve":"CVE-2023-28856","qid":"906904","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for redis (26290-1)"}]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2023-28856","ASSIGNER":"security-advisories@github.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Redis is an open source, in-memory database that persists on disk. Authenticated users can use the `HINCRBYFLOAT` command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-617: Reachable Assertion","cweId":"CWE-617"}]},{"description":[{"lang":"eng","value":"CWE-20: Improper Input Validation","cweId":"CWE-20"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"redis","product":{"product_data":[{"product_name":"redis","version":{"version_data":[{"version_affected":"=","version_value":">= 7.0.0, < 7.0.11"},{"version_affected":"=","version_value":">= 6.2.0, < 6.2.12"},{"version_affected":"=","version_value":"< 6.0.19"}]}}]}}]}},"references":{"reference_data":[{"url":"https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6","refsource":"MISC","name":"https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6"},{"url":"https://github.com/redis/redis/pull/11149","refsource":"MISC","name":"https://github.com/redis/redis/pull/11149"},{"url":"https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c","refsource":"MISC","name":"https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c"},{"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html","refsource":"MISC","name":"https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/","refsource":"MISC","name":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/"},{"url":"https://security.netapp.com/advisory/ntap-20230601-0007/","refsource":"MISC","name":"https://security.netapp.com/advisory/ntap-20230601-0007/"}]},"source":{"advisory":"GHSA-hjv8-vjf6-wcr6","discovery":"UNKNOWN"},"impact":{"cvss":[{"attackComplexity":"LOW","attackVector":"LOCAL","availabilityImpact":"HIGH","baseScore":5.5,"baseSeverity":"MEDIUM","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","version":"3.1"}]}},"nvd":{"publishedDate":"2023-04-18 21:15:00","lastModifiedDate":"2023-06-01 14:15:00","problem_types":["CWE-617"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionStartIncluding":"7.0.0","versionEndExcluding":"7.0.11","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionStartIncluding":"6.2.0","versionEndExcluding":"6.2.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*","versionEndExcluding":"6.0.19","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}