CVE-2021-32761 log

Severity High
Remote Yes
Type Arbitrary code execution
A security issue has been found in Redis before version 6.2.5. In 32-bit versions, the Redis BITFIELD command is vulnerable to an integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.
Group Package Affected Fixed Severity Status Ticket
AVG-2204 redis 6.2.4-1 6.2.5-1 High Not affected

A workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.