Vulnerability Description
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redis | Redis | >= 3.2.0, < 5.0.14 |
| Redhat | Software Collections | - |
| Redhat | Enterprise Linux | 8.0 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 33 |
| Netapp | Management Services For Element Software | - |
| Netapp | Management Services For Netapp Hci | - |
| Oracle | Communications Operations Monitor | 4.3 |
Related Weaknesses (CWE)
References
- https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1ddPatchThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxmThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202209-17Third Party Advisory
- https://security.netapp.com/advisory/ntap-20211104-0003/Third Party Advisory
- https://www.debian.org/security/2021/dsa-5001Third Party Advisory
- https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
- https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1ddPatchThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxmThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.gentoo.org/glsa/202209-17Third Party Advisory
FAQ
What is CVE-2021-32672?
CVE-2021-32672 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond th...
How severe is CVE-2021-32672?
CVE-2021-32672 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-32672?
Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis, Redhat Software Collections, Redhat Enterprise Linux, Debian Debian Linux, Fedoraproject Fedora.