CVE-2021-32761 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	High
Remote	Yes
Type	Arbitrary code execution
Description	A security issue has been found in Redis before version 6.2.5. In 32-bit versions, the Redis BITFIELD command is vulnerable to an integer overflow that can potentially be exploited to corrupt the heap, leak arbitrary heap contents or trigger remote code execution. The vulnerability involves constructing specially crafted bit commands which overflow the bit offset.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-2204	redis	6.2.4-1	6.2.5-1	High	Not affected

References
https://github.com/redis/redis/security/advisories/GHSA-8wxq-j7rp-g8wj https://github.com/redis/redis/pull/9191 https://github.com/redis/redis/commit/835d15b5360e277e6f95529c4d8685946a977ddd

Notes
Workaround ========== A workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.

Notes

Workaround
==========

A workaround to mitigate the problem without patching the `redis-server` executable is to prevent users from modifying the `proto-max-bulk-len` configuration parameter. This can be done using ACL to restrict unprivileged users from using the CONFIG SET command.