Strix
26.1K

CVE-2021-32626

HIGHCVSS 8.8/10EPSS 15.13%

Last modified

CVE-2021-32626 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. EPSS estimates a 15.13% chance of exploitation in the next 30 days.

Description

Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.

Metrics

CVSS 3.1
8.8/10

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
15.13%

96.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
RedisRedis>= 2.6, < 5.0.14
RedisRedis>= 6.0.0, < 6.0.16
RedisRedis>= 6.2.0, < 6.2.6
FedoraprojectFedora33
FedoraprojectFedora34
FedoraprojectFedora35
NetappManagement Services For Element SoftwareAll versions
NetappManagement Services For Netapp HciAll versions
DebianDebian Linux10.0
DebianDebian Linux11.0
OracleCommunications Operations Monitor4.3
OracleCommunications Operations Monitor4.4
OracleCommunications Operations Monitor5.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2021-32626?
Redis is an open source, in-memory database that persists on disk. In affected versions specially crafted Lua scripts executing in Redis can cause the heap-based Lua stack to be overflowed, due to incomplete checks for this condition. This can result with heap corruption and potentially remote code execution. This problem exists in all versions of Redis with Lua scripting support, starting from 2.6. The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14. For users unable to update an additional workaround to mitigate the problem without patching the redis-server executable is to prevent users from executing Lua scripts. This can be done using ACL to restrict EVAL and EVALSHA commands.
How severe is CVE-2021-32626?
CVE-2021-32626 has a CVSS score of 8.8/10 (HIGH severity). The EPSS model estimates a 15.13% probability of exploitation in the next 30 days.
How do I fix CVE-2021-32626?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2021-32626?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST