CVE-2021-29477 - log back

CVE-2021-29477 edited at 04 May 2021 17:48:22
Severity
- Medium
+ High
CVE-2021-29477 edited at 04 May 2021 17:46:30
Description
- An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0.Integer overflow in COPY command for large intsets. The issue is fixed in Redis version 6.2.3.
+ An integer overflow bug in Redis version 6.0 or newer could be exploited using the "STRALGO LCS" command to corrupt the heap and potentially result with remote code execution. The problem is fixed in version 6.2.3. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the "STRALGO LCS" command.
References
- https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
+ https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
https://github.com/redis/redis/commit/92e3b1802f72ca0c5b0bde97f01d9b57a758d85c
CVE-2021-29477 edited at 04 May 2021 09:50:30
Severity
- Unknown
+ Medium
Remote
- Unknown
+ Remote
Type
- Unknown
+ Arbitrary code execution
Description
+ An integer overflow bug in Redis version 6.0 or newer could be exploited using the STRALGO LCS command to corrupt the heap and potentially result in remote code execution. The integer overflow bug exists in all versions of Redis starting with 6.0.Integer overflow in COPY command for large intsets. The issue is fixed in Redis version 6.2.3.
References
+ https://groups.google.com/g/redis-db/c/6GSWzTW0PR8/m/8FbdIEEoBAAJ
+ https://github.com/redis/redis/commit/92e3b1802f72ca0c5b0bde97f01d9b57a758d85c
Notes
CVE-2021-29477 created at 04 May 2021 09:48:29