CVE-2021-32672
Published: 4 October 2021
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
redis Launchpad, Ubuntu, Debian |
bionic |
Released
(5:4.0.9-1ubuntu0.2+esm3)
Available with Ubuntu Pro |
| focal |
Released
(5:5.0.7-2ubuntu0.1+esm1)
Available with Ubuntu Pro |
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Ignored
(end of life)
|
|
| jammy |
Not vulnerable
(5:6.0.16-1)
|
|
| kinetic |
Not vulnerable
(5:6.0.16-1)
|
|
| lunar |
Not vulnerable
(5:6.0.16-1)
|
|
| mantic |
Not vulnerable
(5:6.0.16-1)
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Released
(5:6.0.16-1)
|
|
| xenial |
Not vulnerable
(code not present)
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 4.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |