CVE-2024-31228

Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.5 MEDIUM
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Debian logo
Debian Releases
Debian Product
Codename
redict
sid
7.3.2+ds-1
fixed
redis
bullseye
vulnerable
bullseye (security)
5:6.0.16-1+deb11u6
fixed
bookworm
5:7.0.15-1~deb12u4
fixed
bookworm (security)
5:7.0.15-1~deb12u3
fixed
trixie
5:7.0.15-3
fixed
sid
5:8.0.0-2
fixed
valkey
sid
8.1.1+dfsg1-1
fixed
trixie
8.1.1+dfsg1-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
redis
plucky
needs-triage
oracular
Fixed 5:7.0.15-1ubuntu0.24.10.1
released
noble
Fixed 5:7.0.15-1ubuntu0.24.04.1
released
jammy
Fixed 5:6.0.16-1ubuntu1+esm2
released
focal
Fixed 5:5.0.7-2ubuntu0.1+esm3
released
bionic
Fixed 5:4.0.9-1ubuntu0.2+esm5
released
xenial
Fixed 2:3.0.6-1ubuntu0.4+esm3
released
trusty
Fixed 2.8.4-2ubuntu0.2+esm4
released
Common Weakness Enumeration
References
https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0
https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976