CVE-2023-45145

Name: CVE-2023-45145
Creator: NVD / NIST
Published: 2023-10-18T21:15:09.56+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

LOWCVSS 3.6/10EPSS 0.44%

Last modified Jun 17, 2026

CVE-2023-45145 is a low-severity vulnerability rated 3.6/10 on the CVSS scale. Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. EPSS estimates a 0.44% chance of exploitation in the next 30 days.

Description

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Metrics

CVSS 3.1

3.6/10

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Probability

0.44%

35.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions	Update
Redis	Redis	>= 2.6.0, < 6.2.14	—
Redis	Redis	>= 7.0.0, < 7.0.14	—
Redis	Redis	>= 7.2.0, < 7.2.2	—
Redis	Redis	2.6.0	Rc1
Fedoraproject	Fedora	37	—
Fedoraproject	Fedora	38	—
Fedoraproject	Fedora	39	—
Debian	Debian Linux	10.0	—

References

https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1Patch
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvxVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/Mailing List
https://security.netapp.com/advisory/ntap-20231116-0014/Third Party Advisory
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1Patch
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvxVendor Advisory
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/Mailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/Mailing List
https://security.netapp.com/advisory/ntap-20231116-0014/Third Party Advisory

Timeline

Published: Oct 18, 2023
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2023-45145?

How severe is CVE-2023-45145?

CVE-2023-45145 has a CVSS score of 3.6/10 (LOW severity). The EPSS model estimates a 0.44% probability of exploitation in the next 30 days.

How do I fix CVE-2023-45145?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-45145?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST