CVE-2024-31228

CVE-2024-31228

Name

CVE-2024-31228

Description

Redis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
CONFIRM	https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
MISC	https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/11/msg00031.html

Type

URI

CONFIRM

https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976

MISC

https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0

af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2024/11/msg00031.html

Source package	Min version	Max version
redis	>= 2.2.5	< 6.2.16
redis	>= 7.0.0	< 7.2.6
redis	>= 7.3.0	< 7.4.1

CPE URI

Source package

Min version

Max version

redis

>= 2.2.5

< 6.2.16

redis

>= 7.0.0

< 7.2.6

redis

>= 7.3.0

< 7.4.1

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
valkey	edge-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
valkey	3.22-main	7.2.7-r0	None	fixed
valkey	3.21-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
valkey	3.20-main	7.2.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
redis	edge-main	7.2.4-r1	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.2.4-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.2.3-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.2.2-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.2.1-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.2.0-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.12-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.11-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.10-r1	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.10-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.9-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.8-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.7-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.6-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.5-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	7.0.4-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	6.2.7-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	6.2.6-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	6.2.5-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	6.2.4-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-main	6.2.0-r0	None	possibly vulnerable
redis	edge-main	6.0.3-r0	None	possibly vulnerable
redis	edge-main	5.0.8-r0	None	possibly vulnerable
redis	edge-main	5.0.4-r0	None	possibly vulnerable
redis	edge-community	7.2.5-r2	fossdd <fossdd@pwned.life>	fixed
redis	edge-community	7.2.5-r1	TBK <alpine@jjtc.eu>	fixed
redis	edge-community	7.2.5-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-community	7.2.4-r1	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	edge-community	7.2.4-r0	None	possibly vulnerable
redis	edge-community	7.2.2-r0	None	possibly vulnerable
redis	edge-community	7.2.1-r0	None	possibly vulnerable
redis	edge-community	7.0.12-r0	None	possibly vulnerable
redis	edge-community	7.0.8-r0	None	possibly vulnerable
redis	edge-community	7.0.6-r0	None	possibly vulnerable
redis	edge-community	7.0.5-r0	None	possibly vulnerable
redis	edge-community	7.0.4-r0	None	possibly vulnerable
redis	edge-community	6.2.7-r0	None	possibly vulnerable
redis	edge-community	6.2.6-r0	None	possibly vulnerable
redis	edge-community	6.2.5-r0	None	possibly vulnerable
redis	edge-community	6.2.4-r0	None	possibly vulnerable
redis	edge-community	6.2.0-r0	None	possibly vulnerable
redis	edge-community	6.0.3-r0	None	possibly vulnerable
redis	edge-community	5.0.8-r0	None	possibly vulnerable
redis	edge-community	5.0.4-r0	None	possibly vulnerable
redis	3.22-community	7.2.5-r1	None	fixed
redis	3.22-community	7.2.4-r0	None	possibly vulnerable
redis	3.22-community	7.2.2-r0	None	possibly vulnerable
redis	3.22-community	7.2.1-r0	None	possibly vulnerable
redis	3.22-community	7.0.12-r0	None	possibly vulnerable
redis	3.22-community	7.0.8-r0	None	possibly vulnerable
redis	3.22-community	7.0.6-r0	None	possibly vulnerable
redis	3.22-community	7.0.5-r0	None	possibly vulnerable
redis	3.22-community	7.0.4-r0	None	possibly vulnerable
redis	3.22-community	6.2.7-r0	None	possibly vulnerable
redis	3.22-community	6.2.6-r0	None	possibly vulnerable
redis	3.22-community	6.2.5-r0	None	possibly vulnerable
redis	3.22-community	6.2.4-r0	None	possibly vulnerable
redis	3.22-community	6.2.0-r0	None	possibly vulnerable
redis	3.22-community	6.0.3-r0	None	possibly vulnerable
redis	3.22-community	5.0.8-r0	None	possibly vulnerable
redis	3.22-community	5.0.4-r0	None	possibly vulnerable
redis	3.21-community	7.2.5-r1	None	fixed
redis	3.20-community	7.2.5-r1	TBK <alpine@jjtc.eu>	fixed
redis	3.19-main	7.2.4-r1	TBK <alpine@jjtc.eu>	fixed
redis	3.19-main	7.2.4-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	3.19-main	7.2.3-r0	TBK <alpine@jjtc.eu>	possibly vulnerable
redis	3.19-main	7.2.2-r0	None	possibly vulnerable
redis	3.19-main	7.2.1-r0	None	possibly vulnerable
redis	3.19-main	7.0.12-r0	None	possibly vulnerable
redis	3.19-main	7.0.8-r0	None	possibly vulnerable
redis	3.19-main	7.0.6-r0	None	possibly vulnerable
redis	3.19-main	7.0.5-r0	None	possibly vulnerable
redis	3.19-main	7.0.4-r0	None	possibly vulnerable
redis	3.19-main	6.2.7-r0	None	possibly vulnerable
redis	3.19-main	6.2.6-r0	None	possibly vulnerable
redis	3.19-main	6.2.5-r0	None	possibly vulnerable
redis	3.19-main	6.2.4-r0	None	possibly vulnerable
redis	3.19-main	6.2.0-r0	None	possibly vulnerable
redis	3.19-main	6.0.3-r0	None	possibly vulnerable
redis	3.19-main	5.0.8-r0	None	possibly vulnerable
redis	3.19-main	5.0.4-r0	None	possibly vulnerable
redis	3.18-main	7.0.15-r1	TBK <alpine@jjtc.eu>	fixed
redis	3.17-main	7.0.15-r1	TBK <alpine@jjtc.eu>	fixed
redict	edge-community	7.3.1-r0	fossdd <fossdd@pwned.life>	fixed
redict	3.22-community	7.3.1-r0	None	fixed
redict	3.21-community	7.3.1-r0	fossdd <fossdd@pwned.life>	fixed
redict	3.20-community	7.3.1-r0	fossdd <fossdd@pwned.life>	fixed

Source package

Branch

Version

Maintainer

Status

valkey

edge-main

7.2.7-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

valkey

3.22-main