CVE-2021-32626

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

CVSS v3 8.8 HIGH
CVSS v2.0 6.5 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591	Patch Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c	Third Party Advisory
https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
https://security.gentoo.org/glsa/202209-17	Third Party Advisory
https://security.netapp.com/advisory/ntap-20211104-0003/	Third Party Advisory
https://www.debian.org/security/2021/dsa-5001	Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html	Patch Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::

Configuration 2 (hide)

OR	cpe:2.3:o:fedoraproject:fedora:33:::::::*
	cpe:2.3:o:fedoraproject:fedora:34:::::::*
	cpe:2.3:o:fedoraproject:fedora:35:::::::*

Configuration 3 (hide)

OR	cpe:2.3:a:netapp:management_services_for_element_software:-:::::::*
	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::*

Configuration 4 (hide)

OR	cpe:2.3:o:debian:debian_linux:10.0:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*

Configuration 5 (hide)

OR	cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::*
	cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*

History

07 Nov 2023, 03:35

Type	Values Removed	Values Added
References	{'url': 'https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E', 'name': '[druid-commits] 20211025 [GitHub] [druid] jihoonson opened a new pull request #11844: Bump netty4 to 4.1.68; suppress CVE-2021-37136 and CVE-2021-37137 for netty3', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'MLIST'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/', 'name': 'FEDORA-2021-aa94492a09', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/', 'name': 'FEDORA-2021-61c487f241', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/', 'name': 'FEDORA-2021-8913c7900c', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'}	() https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ - () https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ - () https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0%40%3Ccommits.druid.apache.org%3E -

06 Oct 2022, 16:54

Type	Values Removed	Values Added
References	~~(GENTOO) https://security.gentoo.org/glsa/202209-17 -~~	(GENTOO) https://security.gentoo.org/glsa/202209-17 - Third Party Advisory

29 Sep 2022, 17:15

Type	Values Removed	Values Added
References		(GENTOO) https://security.gentoo.org/glsa/202209-17 -
CWE		CWE-122

13 May 2022, 17:21

Type	Values Removed	Values Added
References	~~(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -~~	(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html - Patch, Third Party Advisory
CPE	cpe:2.3:a:netapp:hci:-:::::::*	cpe:2.3:a:netapp:management_services_for_netapp_hci:-:::::::* cpe:2.3:a:oracle:communications_operations_monitor:4.4:::::::* cpe:2.3:a:oracle:communications_operations_monitor:4.3:::::::* cpe:2.3:a:oracle:communications_operations_monitor:5.0:::::::*
First Time		Netapp management Services For Netapp Hci Oracle communications Operations Monitor Oracle

20 Apr 2022, 00:15

Type	Values Removed	Values Added
References		(MISC) https://www.oracle.com/security-alerts/cpuapr2022.html -

28 Nov 2021, 23:14

Type	Values Removed	Values Added
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - Mailing List, Third Party Advisory
References	~~(DEBIAN) https://www.debian.org/security/2021/dsa-5001 -~~	(DEBIAN) https://www.debian.org/security/2021/dsa-5001 - Third Party Advisory
CPE	cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::*	cpe:2.3:a:netapp:hci:-:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:a:netapp:management_services_for_element_software:-:::::::* cpe:2.3:o:debian:debian_linux:10.0:::::::*
CWE	~~CWE-122~~

17 Nov 2021, 22:18

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - (DEBIAN) https://www.debian.org/security/2021/dsa-5001 -

10 Nov 2021, 01:17

Type	Values Removed	Values Added
References	~~{'url': 'https://security.netapp.com/advisory/ntap-20211104-0003/', 'name': 'https://security.netapp.com/advisory/ntap-20211104-0003/', 'tags': ['Third Party Advisory'], 'refsource': 'CONFIRM'}~~ {'url': 'https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/', 'name': 'FEDORA-2021-aa94492a09', 'tags': ['Mailing List', 'Third Party Advisory'], 'refsource': 'FEDORA'} ~~{'url': 'https://www.debian.org/security/2021/dsa-5001', 'name': 'DSA-5001', 'tags': [], 'refsource': 'DEBIAN'}~~

06 Nov 2021, 11:15

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2021/dsa-5001 -

05 Nov 2021, 18:35

Type	Values Removed	Values Added
References	~~(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E -~~	(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -~~	(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ - Mailing List, Third Party Advisory
CPE		cpe:2.3:a:netapp:management_services_for_element_software_and_netapp_hci:-:::::::* cpe:2.3:o:fedoraproject:fedora:35:::::::*

04 Nov 2021, 09:15

Type	Values Removed	Values Added
References		(CONFIRM) https://security.netapp.com/advisory/ntap-20211104-0003/ -

30 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/ -

26 Oct 2021, 01:15

Type	Values Removed	Values Added
References		(MLIST) https://lists.apache.org/thread.html/r75490c61c2cb7b6ae2c81238fd52ae13636c60435abcd732d41531a0@%3Ccommits.druid.apache.org%3E -

13 Oct 2021, 16:04

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~7.5~~	v2 : 6.5 v3 : 8.8
CPE		cpe:2.3:a:redis:redis:::::::: cpe:2.3:o:fedoraproject:fedora:34:::::::* cpe:2.3:o:fedoraproject:fedora:33:::::::*
References	~~(MISC) https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 -~~	(MISC) https://github.com/redis/redis/commit/666ed7facf4524bf6d19b11b20faa2cf93fdf591 - Patch, Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ - Mailing List, Third Party Advisory
References	~~(CONFIRM) https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c -~~	(CONFIRM) https://github.com/redis/redis/security/advisories/GHSA-p486-xggp-782c - Third Party Advisory
References	~~(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -~~	(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ - Mailing List, Third Party Advisory

13 Oct 2021, 02:15

Type	Values Removed	Values Added
References		(FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/ - (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/ -
CWE		CWE-787 CWE-122

04 Oct 2021, 18:18

Type	Values Removed	Values Added
New CVE

Information

Published : 2021-10-04 18:15

Updated : 2023-12-10 14:09

NVD link : CVE-2021-32626

Mitre link : CVE-2021-32626

CVE.ORG link : CVE-2021-32626

JSON object : View

Products Affected

netapp

management_services_for_netapp_hci
management_services_for_element_software

debian

debian_linux

oracle

communications_operations_monitor

fedoraproject

fedora

redis

redis

CWE

CWE-122

Heap-based Buffer Overflow

CWE-787

Out-of-bounds Write

8.8 /10