CVE-2023-36824
CVSS 3.1 Score 8.8 of 10 (high)
Details
Summary
CVE-2023-36824 is a vulnerability affecting Redis, an in-memory database, in versions prior to 7.0.12. This issue allows authenticated users to trigger a heap overflow through the `COMMAND GETKEYS` or `COMMAND GETKEYSANDFLAGS` commands, potentially resulting in reading random heap memory, heap corruption, and remote code execution. The cause is the extraction of key names from a command and a list of arguments. An attacker can exploit this vulnerability by crafting a specially designed command that takes advantage of this behavior. Users with ACL rules matching key names are also at risk of executing the malicious command. The vulnerability is resolved in Redis 7.0.12.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- Redis
- Fedora Operating System
Affected Vendors
- Redis
- Fedora Project