CVE-2021-29477: Vulnerability in the STRALGO LCS command
First published: Tue May 04 2021(Updated: )
A flaw was found in redis. An integer overflow bug could be exploited to corrupt the heap and potentially result with remote code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redislabs Redis | >=6.0.0<6.0.13 | |
| Redislabs Redis | >=6.2.0<6.2.3 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 |
Remedy
The flaw can be mitigated by disallowing usage of the STRALGO LCS command via ACL configuration. Please see https://redis.io/topics/acl for more information on how to do this.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2021-29477 https://nvd.nist.gov/vuln/detail/CVE-2021-29477 https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
- https://bugzilla.redhat.com/show_bug.cgi?id=1957410
- https://access.redhat.com/errata/RHSA-2021:3016
- https://access.redhat.com/errata/RHSA-2021:2034
- https://access.redhat.com/security/cve/cve-2021-29477
- https://github.com/redis/redis/security/advisories/GHSA-vqxj-26vj-996g
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/EZJ6JGQ2ETZB2DWTQSGCOGG7EF3ILV4V/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
- https://redis.io/
- https://security.gentoo.org/glsa/202107-20
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1957412
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1957411
- https://github.com/redis/redis/commit/92e3b1802f72ca0c5b0bde97f01d9b57a758d85c
- https://github.com/redis/redis/commit/394614a5f91d88380f480c4610926a865b5b0f16
- https://redis.io/topics/acl
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EZJ6JGQ2ETZB2DWTQSGCOGG7EF3ILV4V/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPWBIZXA67JFIB63W2CNVVILCGIC2ME5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BHWOF7CBVUGDK3AN6H3BN3VNTH2TDUZZ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SN7INTZFE34MIQJO7WDDTIY5LIBGN6GI/
Frequently Asked Questions
What is CVE-2021-29477?
CVE-2021-29477 is a vulnerability in Redis version 6.0 or newer that could be exploited to corrupt the heap and potentially result in remote code execution.
How severe is CVE-2021-29477?
CVE-2021-29477 has a severity rating of 8.8, which is considered high.
Which versions of Redis are affected by CVE-2021-29477?
Redis versions 6.0 or newer, up to and including version 6.2.3, are affected by CVE-2021-29477.
How can CVE-2021-29477 be fixed?
To fix CVE-2021-29477, update Redis to version 6.2.3 if you are using version 6.0 or newer.
Where can I find more information about CVE-2021-29477?
You can find more information about CVE-2021-29477 on the Redis.io website, the GitHub security advisories page, and the Red Hat Bugzilla page.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-29477
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/title
- agent/severity
- agent/references
- agent/description
- agent/tags
- agent/event
- vendor/redislabs
- canonical/redislabs redis
- version/redislabs redis/6.0.0
- version/redislabs redis/6.2.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- package-manager/redhat