CVE-2021-32672

Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.

Published: Oct 4, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-32672
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 4
AV:N/AC:L/Au:S/C:P/I:N/A:N

CWEs:

CWE-125

Affected Software
References

Software	From	Fixed in
redis / redis	6.2.0	6.2.6
redis / redis	6.0.0	6.0.16
redis / redis	3.2.0	5.0.14
redhat / enterprise_linux	8.0	8.0.x
debian / debian_linux	10.0	10.0.x
debian / debian_linux	11.0	11.0.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x
fedoraproject / fedora	35	35.x
oracle / communications_operations_monitor	4.3	4.3.x
oracle / communications_operations_monitor	4.4	4.4.x
oracle / communications_operations_monitor	5.0	5.0.x

Vulnerability Database

289,599

CVE-2021-32672