What is CVE-2022-36021?

CVE-2022-36021 is a vulnerability in Redis that allows authenticated users to trigger a denial-of-service attack by using string matching commands with a specially crafted pattern.

How can this vulnerability be exploited?

This vulnerability can be exploited by authenticated users using string matching commands like `SCAN` or `KEYS` with a specific pattern.

What is the severity of CVE-2022-36021?

CVE-2022-36021 has a severity rating of medium.

How can I fix CVE-2022-36021?

To fix CVE-2022-36021, it is recommended to upgrade Redis to version 6.0.18 (for Redis 6.0) or versions between 6.2.0 and 6.2.11 (for Redis 6.2), or between 7.0.0 and 7.0.9 (for Redis 7.0).

What is the CWE ID for CVE-2022-36021?

The CWE ID for CVE-2022-36021 is CWE-407.

Vulnerability/
CVE-2022-36021

medium

5.5

CWE

407 190

1/3/2023

27/1/2025

CVE-2022-36021: Redis string pattern matching can be abused to achieve Denial of Service

First published: Wed Mar 01 2023(Updated: )

(<a href="https://access.redhat.com/security/cve/CVE-2023-25155">CVE-2023-25155</a>) Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. <a href="https://github.com/gentoo/gentoo/pull/29860">https://github.com/gentoo/gentoo/pull/29860</a>

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
IBM Planning Analytics	<=2.0
debian/redis	<=5:5.0.14-1+deb10u2<=5:6.0.16-1+deb11u2	5:5.0.14-1+deb10u5 5:7.0.15-1~deb12u1 5:7.0.15-1
ubuntu/redis	<5:4.0.9-1ubuntu0.2+	5:4.0.9-1ubuntu0.2+
ubuntu/redis	<5:5.0.7-2ubuntu0.1+	5:5.0.7-2ubuntu0.1+
ubuntu/redis	<5:6.0.16-1ubuntu1+	5:6.0.16-1ubuntu1+
ubuntu/redis	<2:2.8.4-2ubuntu0.2+	2:2.8.4-2ubuntu0.2+
ubuntu/redis	<6.0.18<6.2.11<7.0.9	6.0.18 6.2.11 7.0.9
ubuntu/redis	<2:3.0.6-1ubuntu0.4+	2:3.0.6-1ubuntu0.4+
Redis	<6.0.18
Redis	>=6.2.0<6.2.11
Redis	>=7.0.0<7.0.9

Remedy

https://github.com/redis/redis/commit/dcbfcb916ca1a269b3feef86ee86835294758f84

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-36021?
CVE-2022-36021 is a vulnerability in Redis that allows authenticated users to trigger a denial-of-service attack by using string matching commands with a specially crafted pattern.
How can this vulnerability be exploited?
This vulnerability can be exploited by authenticated users using string matching commands like `SCAN` or `KEYS` with a specific pattern.
What is the severity of CVE-2022-36021?
CVE-2022-36021 has a severity rating of medium.
How can I fix CVE-2022-36021?
To fix CVE-2022-36021, it is recommended to upgrade Redis to version 6.0.18 (for Redis 6.0) or versions between 6.2.0 and 6.2.11 (for Redis 6.2), or between 7.0.0 and 7.0.9 (for Redis 7.0).
What is the CWE ID for CVE-2022-36021?
The CWE ID for CVE-2022-36021 is CWE-407.

agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
agent/author
agent/weakness
agent/remedy
agent/description
collector/ibm-support
source/IBM
agent/software-canonical-lookup
collector/security-tracker-debian
source/Debian
collector/usn-cve
source/Ubuntu
collector/mitre-cve
source/MITRE
agent/references
agent/last-modified-date
agent/title
agent/severity
agent/event
agent/trending
agent/source
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-index
agent/tags
agent/softwarecombine
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2022-36021
vendor/ibm
canonical/ibm planning analytics
version/ibm planning analytics/2.0
package-manager/debian
package-manager/ubuntu
vendor/redis
canonical/redis
version/redis/6.2.0
version/redis/7.0.0