CVE-2023-45145

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
GitHub_MCNA
3.6 LOW
LOCAL
HIGH
LOW
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 62%
VendorProductVersion
redisredis
2.6.0 ≤
𝑥
< 6.2.14
redisredis
7.0.0 ≤
𝑥
< 7.0.14
redisredis
7.2.0 ≤
𝑥
< 7.2.2
redisredis
2.6.0:rc1
debiandebian_linux
10.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
redis
bullseye
vulnerable
bullseye (security)
5:6.0.16-1+deb11u4
fixed
bookworm
5:7.0.15-1~deb12u1
fixed
bookworm (security)
5:7.0.15-1~deb12u1
fixed
trixie
5:7.0.15-2
fixed
sid
5:7.0.15-2
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
redis
oracular
not-affected
noble
not-affected
mantic
ignored
lunar
ignored
jammy
Fixed 5:6.0.16-1ubuntu1+esm1
released
focal
Fixed 5:5.0.7-2ubuntu0.1+esm2
released
bionic
Fixed 5:4.0.9-1ubuntu0.2+esm4
released
xenial
Fixed 2:3.0.6-1ubuntu0.4+esm2
released
trusty
Fixed 2:2.8.4-2ubuntu0.2+esm3
released
Common Weakness Enumeration
References
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
https://security.netapp.com/advisory/ntap-20231116-0014/
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/
https://security.netapp.com/advisory/ntap-20231116-0014/