FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

redis -- multiple vulnerabilities

Affected packages
redis < 7.0.9
redis-devel < 7.0.9.20230228
redis62 < 6.2.11
redis6 < 6.0.18

Details

VuXML ID b17bce48-b7c6-11ed-b304-080027f5fec9
Discovery 2023-02-28
Entry 2023-03-01

The Redis core team reports:

CVE-2023-25155
Specially crafted SRANDMEMBER, ZRANDMEMBER, and HRANDFIELD commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process.
CVE-2022-36021
String matching commands (like SCAN or KEYS) with a specially crafted pattern to trigger a denial-of-service attack on Redis, causing it to hang and consume 100% CPU time.

References

CVE Name CVE-2022-36021
CVE Name CVE-2023-25155
URL https://groups.google.com/g/redis-db/c/3hQ1oTO4hMI