CVE-2021-32672

Name
CVE-2021-32672
Description
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
CONFIRM https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm
MISC https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
CONFIRM https://security.netapp.com/advisory/ntap-20211104-0003/
DEBIAN https://www.debian.org/security/2021/dsa-5001
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:* redis >= 3.2.0 < 5.0.14
cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:* redis >= 6.0.0 < 6.0.16
cpe:2.3:a:redislabs:redis:*:*:*:*:*:*:*:* redis >= 6.2.0 < 6.2.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
redis 3.13-main 6.0.16-r0 TBK <alpine@jjtc.eu> fixed
redis 3.12-main 5.0.14-r0 TBK <alpine@jjtc.eu> fixed
redis 3.11-main 5.0.14-r0 TBK <alpine@jjtc.eu> fixed