Unrated severityNVD Advisory· Published Oct 7, 2024· Updated Oct 7, 2024

Denial-of-service due to malformed ACL selectors in Redis

CVE-2024-31227

Description

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem exists in Redis 7 prior to versions 7.2.6 and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected products

osv-coords30 versions
pkg:apk/chainguard/py3.10-redis pkg:apk/chainguard/py3.11-redis pkg:apk/chainguard/py3.12-redis pkg:apk/chainguard/py3.13-redis pkg:apk/chainguard/py3-redis pkg:apk/chainguard/redis-7.2 pkg:apk/chainguard/redis-7.2-iamguarded-compat pkg:apk/chainguard/redis-7.4 pkg:apk/chainguard/redis-benchmark-7.2 pkg:apk/chainguard/redis-cli-7.2 pkg:apk/chainguard/redis-cluster-7.2-iamguarded-compat pkg:apk/chainguard/redis-sentinel-7.2-iamguarded-compat pkg:apk/wolfi/redis-7.2 pkg:apk/wolfi/redis-7.4 pkg:apk/wolfi/redis-benchmark-7.2 pkg:apk/wolfi/redis-cli-7.2 pkg:bitnami/keydb pkg:bitnami/redis pkg:bitnami/valkey pkg:rpm/almalinux/redis pkg:rpm/almalinux/redis-devel pkg:rpm/almalinux/redis-doc pkg:rpm/opensuse/redis7&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/redis7&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/redis&distro=openSUSE%20Leap%2015.6 pkg:rpm/opensuse/redis&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/valkey&distro=openSUSE%20Tumbleweed pkg:rpm/suse/redis7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP5 pkg:rpm/suse/redis7&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6 pkg:rpm/suse/redis&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6
< 0+ 29 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 7.2.6-r0
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.4.1-r0
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.2.6-r0
- (no CPE)range: < 7.4.1-r0
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: < 7.2.12-r2
- (no CPE)range: >= 7.0.0
- (no CPE)range: >= 7.0.0, < 7.2.8
- (no CPE)range: < 7.2.7
- (no CPE)range: < 7.2.6-1.module_el9.5.0+130+36ae7635
- (no CPE)range: < 7.2.6-1.module_el9.5.0+130+36ae7635
- (no CPE)range: < 7.2.6-1.module_el9.5.0+130+36ae7635
- (no CPE)range: < 7.0.8-150500.3.12.1
- (no CPE)range: < 7.0.8-150600.8.3.1
- (no CPE)range: < 7.2.4-150600.3.3.1
- (no CPE)range: < 8.0.2-1.1
- (no CPE)range: < 8.0.1-1.1
- (no CPE)range: < 7.0.8-150500.3.12.1
- (no CPE)range: < 7.0.8-150600.8.3.1
- (no CPE)range: < 7.2.4-150600.3.3.1
Redis/Redisv5
Range: >= 7.0.0, < 7.2.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/redis/redis/commit/b351d5a3210e61cc3b22ba38a723d6da8f3c298amitrex_refsource_MISC
github.com/redis/redis/security/advisories/GHSA-38p4-26x2-vqhhmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000