CVE-2022-36021: Redis string pattern matching can be abused to achieve Denial of Service
First published: Wed Mar 01 2023(Updated: )
Redis is vulnerable to a denial of service, caused by a flaw in the string pattern matching functionality. By using the string matching commands (such as SCAN or KEYS) with a specially-crafted pattern, a local authenticated attacker could exploit this vulnerability to cause a denial of service.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redis Redis | <6.0.18 | |
| Redis Redis | >=6.2.0<6.2.11 | |
| Redis Redis | >=7.0.0<7.0.9 | |
| IBM Planning Analytics | <=2.0 | |
| debian/redis | <=5:5.0.14-1+deb10u2<=5:6.0.16-1+deb11u2 | 5:5.0.14-1+deb10u5 5:7.0.15-1~deb12u1 5:7.0.15-1 |
| ubuntu/redis | <5:4.0.9-1ubuntu0.2+ | 5:4.0.9-1ubuntu0.2+ |
| ubuntu/redis | <5:5.0.7-2ubuntu0.1+ | 5:5.0.7-2ubuntu0.1+ |
| ubuntu/redis | <5:6.0.16-1ubuntu1+ | 5:6.0.16-1ubuntu1+ |
| ubuntu/redis | <2:2.8.4-2ubuntu0.2+ | 2:2.8.4-2ubuntu0.2+ |
| ubuntu/redis | <6.0.18<6.2.11<7.0.9 | 6.0.18 6.2.11 7.0.9 |
| ubuntu/redis | <2:3.0.6-1ubuntu0.4+ | 2:3.0.6-1ubuntu0.4+ |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/redis/redis/commit/dcbfcb916ca1a269b3feef86ee86835294758f84
- https://github.com/redis/redis/security/advisories/GHSA-jr7j-rfj5-8xqv
- https://launchpad.net/bugs/cve/CVE-2022-36021
- https://exchange.xforce.ibmcloud.com/vulnerabilities/248940
- https://www.ibm.com/support/pages/node/7096528 (Advisory)
- https://github.com/redis/redis/commit/0825552565e5fdab2e87950579c4f0bedded3e3c
- https://security-tracker.debian.org/tracker/CVE-2022-36021
- https://ubuntu.com/security/notices/USN-6531-1
- https://www.cve.org/CVERecord?id=CVE-2022-36021
- https://nvd.nist.gov/vuln/detail/CVE-2022-36021
- https://ubuntu.com/security/CVE-2022-36021
Frequently Asked Questions
What is CVE-2022-36021?
CVE-2022-36021 is a vulnerability in Redis that allows authenticated users to trigger a denial-of-service attack by using string matching commands with a specially crafted pattern.
How can this vulnerability be exploited?
This vulnerability can be exploited by authenticated users using string matching commands like `SCAN` or `KEYS` with a specific pattern.
What is the severity of CVE-2022-36021?
CVE-2022-36021 has a severity rating of medium.
How can I fix CVE-2022-36021?
To fix CVE-2022-36021, it is recommended to upgrade Redis to version 6.0.18 (for Redis 6.0) or versions between 6.2.0 and 6.2.11 (for Redis 6.2), or between 7.0.0 and 7.0.9 (for Redis 7.0).
What is the CWE ID for CVE-2022-36021?
The CWE ID for CVE-2022-36021 is CWE-407.
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/weakness
- agent/remedy
- agent/description
- collector/ibm-support
- source/IBM
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/title
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/redis
- canonical/redis redis
- version/redis redis/6.2.0
- version/redis redis/7.0.0
- vendor/ibm
- canonical/ibm planning analytics
- version/ibm planning analytics/2.0
- package-manager/debian
- package-manager/ubuntu