Candidate: CVE-2018-12326
PublicDate: 2018-06-17 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12326
 https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0
 https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50
 https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
 https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
Description:
 Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3
 allows an attacker to achieve code execution and escalate to higher
 privileges via a crafted command line. NOTE: It is unclear whether there
 are any common situations in which redis-cli is used with, for example, a
 -h (aka hostname) argument from an untrusted source.
Ubuntu-Description:
 It was discovered that Redis incorrectly handled certain arguments. An
 attacker could possibly use this issue to execute arbitrary code.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [8.4 HIGH]


Patches_redis:
upstream_redis: released (5:4.0.10-1)
precise/esm_redis: DNE
trusty_redis: released (2:2.8.4-2ubuntu0.2)
trusty/esm_redis: released (2:2.8.4-2ubuntu0.2)
xenial_redis: released (2:3.0.6-1ubuntu0.2)
artful_redis: ignored (reached end-of-life)
bionic_redis: released (5:4.0.9-1ubuntu0.1)
cosmic_redis: not-affected (5:4.0.11-2)
devel_redis: not-affected (5:4.0.11-2)