Vulnerability Description
Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redis | Redis | >= 6.2.0, < 6.2.9 |
Related Weaknesses (CWE)
References
- https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02PatchThird Party Advisory
- https://github.com/redis/redis/releases/tag/6.2.9Release NotesThird Party Advisory
- https://github.com/redis/redis/releases/tag/7.0.8Release NotesThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprjThird Party Advisory
- https://github.com/redis/redis/commit/16f408b1a0121cacd44cbf8aee275d69dc627f02PatchThird Party Advisory
- https://github.com/redis/redis/releases/tag/6.2.9Release NotesThird Party Advisory
- https://github.com/redis/redis/releases/tag/7.0.8Release NotesThird Party Advisory
- https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprjThird Party Advisory
FAQ
What is CVE-2023-22458?
CVE-2023-22458 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing ...
How severe is CVE-2023-22458?
CVE-2023-22458 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-22458?
Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis.