Specially crafted MSETNX command can lead to denial-of-service

Moderate

oranagra published GHSA-mvmm-4vq6-vw8c

Mar 20, 2023

Package

Redis

Affected versions

>= 7.0.8

Patched versions

7.0.10

Description

Impact

Authenticated users can use the MSETNX command to trigger a runtime assertion and termination of the Redis server process.

Patches

The problem is fixed in Redis versions 7.0.10.

Credit

The issue has been identified by Yupeng Yang.

For more information

If you have any questions or comments about this advisory:

Open an issue in the Redis repository
Email us at redis@redis.io

Severity

Moderate

5.5

/ 10

CVSS base metrics

Attack vector

Local

Attack complexity

Low

Privileges required

Low

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H