Back to bug 2221664
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Zack Miele | 2023-07-10 15:01:50 UTC | Depends On | 2221683, 2221686, 2221688, 2221687, 2221684, 2221685, 2221689 | |
| TEJ RATHI | 2023-07-11 14:16:16 UTC | Summary | TRIAGE-CVE-2023-36824 dev-db/redis: Multiple vulnerabilities | TRIAGE-CVE-2023-36824 redis: heap overflow in COMMAND GETKEYS and ACL evaluation |
| TEJ RATHI | 2023-07-11 14:18:18 UTC | CC | acrosby, adudiak, agarcial, aoconnor, asegurap, bdettelb, caswilli, crarobin, dffrench, dhalasz, fjansen, gzaronik, hkataria, jburrell, jmadigan, jmitchel, jsherril, jtanner, kaycoth, kshier, micjohns, mkleinhe, ngough, nweather, oezr, pamccart, rgodfrey, stcannon, sthirugn, vkrizan, vmugicag, yguenane | |
| TEJ RATHI | 2023-07-11 14:19:43 UTC | CC | hhorak, jorton | |
| TEJ RATHI | 2023-07-11 14:48:37 UTC | CC | aileenc, amasferr, bbuckingham, bcourt, chazlett, davidn, ehelms, epacific, gmalinko, gparvin, janstey, jcammara, jhardy, jneedle, jobarker, lzap, mabashia, mhulan, mkudlej, myarboro, njean, nmoumoul, orabin, osapryki, owatkins, pahickey, pcreech, pdelbell, rchan, simaishi, smcdonal, teagle, tjochec, zsadeh | |
| TEJ RATHI | 2023-07-11 14:53:18 UTC | Comment | 0 | updated |
| TEJ RATHI | 2023-07-11 15:01:18 UTC | Depends On | 2222026 | |
| TEJ RATHI | 2023-07-11 15:22:49 UTC | Priority | high | medium |
| Severity | high | medium | ||
| TEJ RATHI | 2023-07-11 15:25:24 UTC | Priority | medium | high |
| Severity | medium | high | ||
| TEJ RATHI | 2023-07-12 08:54:49 UTC | Doc Text | A heap overflow vulnerability was discovered in Redis, where extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. An attacker may exploit this vulnerability by tricking: (a) authenticated users to execute a specially crafted COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS. (b) authenticated users who were set with ACL rules that match key names, to execute a specially crafted command that refers to a variadic list of key names. | |
| TEJ RATHI | 2023-07-12 09:21:41 UTC | Alias | TRIAGE-CVE-2023-36824 | CVE-2023-36824 |
| Summary | TRIAGE-CVE-2023-36824 redis: heap overflow in COMMAND GETKEYS and ACL evaluation | CVE-2023-36824 redis: heap overflow in COMMAND GETKEYS and ACL evaluation | ||
| RaTasha Tillery-Smith | 2023-07-12 14:08:25 UTC | Doc Text | A heap overflow vulnerability was discovered in Redis, where extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption and potentially remote code execution. An attacker may exploit this vulnerability by tricking: (a) authenticated users to execute a specially crafted COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS. (b) authenticated users who were set with ACL rules that match key names, to execute a specially crafted command that refers to a variadic list of key names. | A heap overflow vulnerability was found in Redis, where extracting key names from a command and a list of arguments may, in some cases, trigger a heap overflow and result in reading random heap memory, heap corruption, and potentially remote code execution. This flaw allows an attacker to trick authenticated users into executing a specially crafted COMMAND GETKEYS or COMMAND GETKEYSANDFLAGS and also trick authenticated users who were set with ACL rules that match key names, to execute a specially crafted command that refers to a variadic list of key names. |
Back to bug 2221664