Candidate: CVE-2016-10517
PublicDate: 2017-10-24 18:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10517
 https://github.com/antirez/redis/commit/874804da0c014a7d704b3d285aa500098a931f50
 https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES
 https://www.reddit.com/r/redis/comments/5r8wxn/redis_327_is_out_important_security_fixes_inside/
Description:
 networking.c in Redis before 3.2.7 allows "Cross Protocol Scripting"
 because it lacks a check for POST and Host: strings, which are not valid in
 the Redis protocol (but commonly occur when an attack triggers an HTTP
 request to the Redis TCP port).
Ubuntu-Description:
 It was discovered that Redis incorrectly handled certain HTTP POST
 requests. An attacker could possibly use this issue to execute a Cross
 Protocol Scripting (CAS) attack.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N [7.4 HIGH]


Patches_redis:
upstream_redis: needs-triage
precise/esm_redis: DNE
trusty_redis: released (2:2.8.4-2ubuntu0.2)
trusty/esm_redis: released (2:2.8.4-2ubuntu0.2)

xenial_redis: released (2:3.0.6-1ubuntu0.2)

zesty_redis: ignored (reached end-of-life)
artful_redis: released (4:4.0.1-7)
bionic_redis: not-affected (4:4.0.1-7)
devel_redis: not-affected (4:4.0.1-7)