First published: Wed Oct 18 2023(Updated: )
<a href="https://access.redhat.com/security/cve/CVE-2023-45145">CVE-2023-45145</a> - The wrong order of listen(2) and chmod(2) calls creates a race condition that can be used by another process to bypass desired Unix socket permissions on startup. Upstream have released version 7.0.14/7.2.2 to fix <a href="https://access.redhat.com/security/cve/CVE-2023-45145">CVE-2023-45145</a>. Reference: - <a href="https://github.com/redis/redis/releases/tag/7.0.14">https://github.com/redis/redis/releases/tag/7.0.14</a> - <a href="https://bugs.mageia.org/32406">https://bugs.mageia.org/32406</a>
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redis Redis | >=2.6.0<6.2.14 | |
Redis Redis | >=7.0.0<7.0.14 | |
Redis Redis | >=7.2.0<7.2.2 | |
Redis Redis | =2.6.0-rc1 | |
Fedoraproject Fedora | =37 | |
Fedoraproject Fedora | =38 | |
Fedoraproject Fedora | =39 | |
Debian Debian Linux | =10.0 | |
debian/redis | <=5:5.0.14-1+deb10u2<=5:6.0.16-1+deb11u2 | 5:5.0.14-1+deb10u5 5:7.0.15-1~deb12u1 5:7.0.15-1 |
ubuntu/redis | <5:4.0.9-1ubuntu0.2+ | 5:4.0.9-1ubuntu0.2+ |
ubuntu/redis | <5:5.0.7-2ubuntu0.1+ | 5:5.0.7-2ubuntu0.1+ |
ubuntu/redis | <5:6.0.16-1ubuntu1+ | 5:6.0.16-1ubuntu1+ |
ubuntu/redis | <2:2.8.4-2ubuntu0.2+ | 2:2.8.4-2ubuntu0.2+ |
ubuntu/redis | <7.2.2 | 7.2.2 |
ubuntu/redis | <2:3.0.6-1ubuntu0.4+ | 2:3.0.6-1ubuntu0.4+ |
IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.1 | |
IBM Planning Analytics Local - IBM Planning Analytics Workspace | <=2.0 | |
redhat/redis | <7.2.2 | 7.2.2 |
redhat/redis | <7.0.14 | 7.0.14 |
redhat/redis | <6.2.14 | 6.2.14 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-45145 is a vulnerability in Redis where the Unix-domain socket may be exposed with the wrong permissions for a short time window.
Redis is an in-memory database that persists on disk.
CVE-2023-45145 affects Redis versions between 2.6.0 and 6.2.14, 7.0.0 and 7.0.14, and 7.2.0 and 7.2.2.
The severity of CVE-2023-45145 is low, with a CVSS score of 3.6.
To fix CVE-2023-45145, upgrade Redis to a version that is not affected by the vulnerability.