CVE-2021-32672
First published: Mon Oct 04 2021(Updated: )
Redis is an open source, in-memory database that persists on disk. When using the Redis Lua Debugger, users can send malformed requests that cause the debugger’s protocol parser to read data beyond the actual buffer. This issue affects all versions of Redis with Lua debugging support (3.2 or newer). The problem is fixed in versions 6.2.6, 6.0.16 and 5.0.14.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redis Redis | >=3.2.0<5.0.14 | |
| Redis Redis | >=6.0.0<6.0.16 | |
| Redis Redis | >=6.2.0<6.2.6 | |
| Redhat Software Collections | ||
| Redhat Enterprise Linux | =8.0 | |
| Debian Debian Linux | =10.0 | |
| Debian Debian Linux | =11.0 | |
| Fedoraproject Fedora | =33 | |
| Fedoraproject Fedora | =34 | |
| Fedoraproject Fedora | =35 | |
| Netapp Management Services For Element Software | ||
| Netapp Management Services For Netapp Hci | ||
| Oracle Communications Operations Monitor | =4.3 | |
| Oracle Communications Operations Monitor | =4.4 | |
| Oracle Communications Operations Monitor | =5.0 | |
| debian/redis | 5:5.0.14-1+deb10u2 5:5.0.14-1+deb10u5 5:6.0.16-1+deb11u2 5:7.0.11-1 5:7.0.14-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd
- https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HTYQ5ZF37HNGTZWVNJD3VXP7I6MEEF42/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VL5KXFN3ATM7IIM7Q4O4PWTSRGZ5744Z/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WR5WKJWXD4D6S3DJCZ56V74ESLTDQRAB/
- https://security.gentoo.org/glsa/202209-17
- https://security.netapp.com/advisory/ntap-20211104-0003/
- https://www.debian.org/security/2021/dsa-5001
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2012198
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2012197
- https://access.redhat.com/errata/RHSA-2021:3873
- https://access.redhat.com/security/cve/cve-2021-32672
- https://access.redhat.com/errata/RHSA-2021:3925
- https://access.redhat.com/errata/RHSA-2021:3949
- https://access.redhat.com/errata/RHSA-2021:4618
- https://bugzilla.redhat.com/show_bug.cgi?id=2011001
- https://www.cve.org/CVERecord?id=CVE-2021-32672 https://nvd.nist.gov/vuln/detail/CVE-2021-32672 https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm
- https://security-tracker.debian.org/tracker/CVE-2021-32672
Frequently Asked Questions
What is CVE-2021-32672?
CVE-2021-32672 is a vulnerability in Redis that allows users to send malformed requests to the Redis Lua Debugger.
How severe is CVE-2021-32672?
CVE-2021-32672 has a severity rating of 4.3, which is considered medium.
What versions of Redis are affected by CVE-2021-32672?
This vulnerability affects all versions of Redis with Lua debugging support (3.2 or newer).
How can I fix CVE-2021-32672?
To fix CVE-2021-32672, you should update Redis to version 6.2.6 or apply the appropriate remediation provided by your operating system or package manager.
Where can I find more information about CVE-2021-32672?
You can find more information about CVE-2021-32672 on the GitHub security advisory page (https://github.com/redis/redis/security/advisories/GHSA-9mj9-xx53-qmxm) or the Redis GitHub repository (https://github.com/redis/redis/commit/6ac3c0b7abd35f37201ed2d6298ecef4ea1ae1dd).
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32672
- agent/software-canonical-lookup
- collector/redhat-cve
- collector/security-tracker-debian
- vendor/redis
- canonical/redis redis
- version/redis redis/3.2.0
- version/redis redis/6.0.0
- version/redis redis/6.2.0
- vendor/redhat
- canonical/redhat software collections
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/10.0
- version/debian debian linux/11.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/33
- version/fedoraproject fedora/34
- version/fedoraproject fedora/35
- vendor/netapp
- canonical/netapp management services for element software
- canonical/netapp management services for netapp hci
- vendor/oracle
- canonical/oracle communications operations monitor
- version/oracle communications operations monitor/4.3
- version/oracle communications operations monitor/4.4
- version/oracle communications operations monitor/5.0
- package-manager/redhat
- package-manager/debian