CVSS: 8.1EPSS: 5%CPEs: 4EXPL: 0CVE-2023-41056 – Redis vulnerable to integer overflow in certain payloads
https://notcve.org/view.php?id=CVE-2023-41056
10 Jan 2024 — Redis is an in-memory database that persists on disk. Redis incorrectly handles resizing of memory buffers which can result in integer overflow that leads to heap overflow and potential remote code execution. This issue has been patched in version 7.0.15 and 7.2.4. Redis es una base de datos en memoria que persiste en el disco. Redis maneja incorrectamente el cambio de tamaño de los búferes de memoria, lo que puede provocar un desbordamiento de enteros que provoca un desbordamiento del montón y una posible ... • https://github.com/redis/redis/releases/tag/7.0.15 • CWE-190: Integer Overflow or Wraparound CWE-762: Mismatched Memory Management Routines •
CVSS: 3.6EPSS: 0%CPEs: 8EXPL: 0CVE-2023-45145 – Redis Unix-domain socket may have be exposed with the wrong permissions for a short time window.
https://notcve.org/view.php?id=CVE-2023-45145
18 Oct 2023 — Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. • https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1 • CWE-269: Improper Privilege Management CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 3.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-41053 – Redis SORT_RO may bypass ACL configuration
https://notcve.org/view.php?id=CVE-2023-41053
06 Sep 2023 — Redis is an in-memory database that persists on disk. Redis does not correctly identify keys accessed by `SORT_RO` and as a result may grant users executing this command access to keys that are not explicitly authorized by the ACL configuration. The problem exists in Redis 7.0 or newer and has been fixed in Redis 7.0.13 and 7.2.1. Users are advised to upgrade. There are no known workarounds for this vulnerability. • https://github.com/redis/redis/commit/9e505e6cd842338424e05883521ca1fb7d0f47f6 • CWE-269: Improper Privilege Management •