Skip to content

Potential heap overflow in Redis 7.0 XAUTOCLAIM command.

High
yossigo published GHSA-96f7-42fg-2jrh Jul 18, 2022

Package

redis-server (N/A)

Affected versions

>= 7.0.0

Patched versions

7.0.4

Description

Impact

A specially crafted XAUTOCLAIM command on a stream key in a specific state may result with heap overflow, and potentially remote code execution. The problem affects Redis versions 7.0.0 or newer.

Patches

The problem is fixed in Redis version 7.0.4.

For more information

If you have any questions or comments about this advisory:

Severity

High
7.0
/ 10

CVSS base metrics

Attack vector
Local
Attack complexity
High
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2022-31144

Weaknesses