CVE-2023-45145 — LOW (3.6) — White Hats Nepal

Q: How severe is CVE-2023-45145?

CVE-2023-45145 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-45145?

Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis, Fedoraproject Fedora, Debian Debian Linux.

Vulnerability Description

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

CVSS Score

3.6

LOW

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Redis	Redis	>= 2.6.0, < 6.2.14
Fedoraproject	Fedora	37
Debian	Debian Linux	10.0

Related Weaknesses (CWE)

CWE-668

References

https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1Patch
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvxVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.netapp.com/advisory/ntap-20231116-0014/Third Party Advisory
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1Patch
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvxVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://security.netapp.com/advisory/ntap-20231116-0014/Third Party Advisory

FAQ

What is CVE-2023-45145?

CVE-2023-45145 is a vulnerability with a CVSS score of 3.6 (LOW). Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) ...

How severe is CVE-2023-45145?

CVE-2023-45145 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-45145?

Check the references section above for vendor advisories and patch information. Affected products include: Redis Redis, Fedoraproject Fedora, Debian Debian Linux.