CVE-2023-28856

Redis is an open source, in-memory database that persists on disk. Authenticated users can use the HINCRBYFLOAT command to create an invalid hash field that will crash Redis on access in affected versions. This issue has been addressed in in versions 7.0.11, 6.2.12, and 6.0.19. Users are advised to upgrade. There are no known workarounds for this issue.

Published: Apr 18, 2023
Updated: Apr 29, 2023
CVE: CVE-2023-28856
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-20
CWE-617

Affected Software
References

Software	From	Fixed in
redis / redis	7.0.0	7.0.11
redis / redis	6.2.0	6.2.12
redis / redis	-	6.0.19
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	36	36.x
fedoraproject / fedora	37	37.x
fedoraproject / fedora	38	38.x

https://github.com/redis/redis/commit/bc7fe41e5857a0854d524e2a63a028e9394d2a5c
https://github.com/redis/redis/pull/11149
https://github.com/redis/redis/security/advisories/GHSA-hjv8-vjf6-wcr6
https://lists.debian.org/debian-lts-announce/2023/04/msg00023.html
https://lists.fedoraproject.org/archives/list/[email protected]/message/EQ4DJSO4DMR55AWK6OPVJH5UTEB35R2Z/
https://lists.fedoraproject.org/archives/list/[email protected]/message/LPUTH7NBQTZDVJWFNUD24ZCS6NDUFYS6/
https://lists.fedoraproject.org/archives/list/[email protected]/message/OQGKMKSQE67L32HE6W5EI2I2YKW5VWHI/
https://security.netapp.com/advisory/ntap-20230601-0007/

Vulnerability Database

289,599

CVE-2023-28856