CVE-2021-31294

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.

*Credits: N/A

CVSS Scores

NISTv3.1 5.9

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

Poc

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-04-15 CVE Reserved
2023-07-15 CVE Published
2024-08-16 EPSS Updated
2024-10-30 CVE Updated
2024-10-30 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-617: Reachable Assertion

CAPEC

References (4)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20230814-0007

URL	Date	SRC
https://github.com/redis/redis/issues/8712	2024-10-30

URL	Date	SRC
https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48	2023-08-14
https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f	2023-08-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Redis Search vendor "Redis"		Redis Search vendor "Redis" for product "Redis"				< 6.2.0 Search vendor "Redis" for product "Redis" and version " < 6.2.0"		-		Affected