Cyber Resilience

CVE-2021-32625

High

Published: 02 June 2021

Published
02 June 2021
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0375 88.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-32625 is a high-severity Integer Overflow to Buffer Overflow (CWE-680) vulnerability in Redislabs Redis. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Redis is an open source (BSD licensed), in-memory data structure store, used as a database, cache, and message broker. An integer overflow bug in Redis version 6.0 or newer, could be exploited using the STRALGO LCS command to corrupt the…

more

heap and potentially result with remote code execution. This is a result of an incomplete fix by CVE-2021-29477. The problem is fixed in version 6.2.4 and 6.0.14. An additional workaround to mitigate the problem without patching the redis-server executable is to use ACL configuration to prevent clients from using the STRALGO LCS command. On 64 bit systems which have the fixes of CVE-2021-29477 (6.2.3 or 6.0.13), it is sufficient to make sure that the proto-max-bulk-len config parameter is smaller than 2GB (default is 512MB).

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

redislabs
redis
6.0.0 — 6.0.14 · 6.2.0 — 6.2.4
fedoraproject
fedora
33, 34

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References