OpenCVE

Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Redis	Redis

Configuration 1 [-]

cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48
https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f
https://github.com/redis/redis/issues/8712
https://nvd.nist.gov/vuln/detail/CVE-2021-31294
https://security.netapp.com/advisory/ntap-20230814-0007/
https://www.cve.org/CVERecord?id=CVE-2021-31294

History

Wed, 30 Oct 2024 19:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-07-15T00:00:00

Updated: 2024-10-30T18:29:51.110Z

Reserved: 2021-04-15T00:00:00

Link: CVE-2021-31294

Vulnrichment

Updated: 2024-08-03T22:55:53.538Z

NVD

Status : Modified

Published: 2023-07-15T23:15:09.203

Modified: 2024-11-21T06:05:24.390

Link: CVE-2021-31294

Redhat

Severity : Moderate

Publid Date: 2023-07-15T00:00:00Z

Links: CVE-2021-31294 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-31294", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-30T18:29:51.110Z", "dateReserved": "2021-04-15T00:00:00", "datePublished": "2023-07-15T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}, "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/redis/redis/issues/8712"}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.538Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/redis/redis/issues/8712", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-30T18:29:37.407639Z", "id": "CVE-2021-31294", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T18:29:51.110Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/redis/redis/issues/8712", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f", "tags": ["x_transferred"]}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:55:53.538Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2021-31294", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-30T18:29:37.407639Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-30T18:29:43.740Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "https://github.com/redis/redis/issues/8712"}, {"url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-08-14T00:00:00"}}}, "cveMetadata": {"cveId": "CVE-2021-31294", "state": "PUBLISHED", "dateUpdated": "2024-10-30T18:29:51.110Z", "dateReserved": "2021-04-15T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2023-07-15T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "matchCriteriaId": "28E377D7-3E6B-40DE-B628-CABF8CFF59AB", "versionEndExcluding": "6.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this."}], "id": "CVE-2021-31294", "lastModified": "2024-11-21T06:05:24.390", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-07-15T23:15:09.203", "references": [{"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"source": "cve@mitre.org", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redis/redis/issues/8712"}, {"source": "cve@mitre.org", "url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/46f4ebbe842620f0976a36741a72482620aa4b48"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/redis/redis/commit/6cbea7d29b5285692843bc1c351abba1a7ef326f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/redis/redis/issues/8712"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20230814-0007/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "redis: an assertion failure in a primary server by sending a non-administrative command", "id": "2223393", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2223393"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-617", "details": ["Redis before 6cbea7d allows a replica to cause an assertion failure in a primary server by sending a non-administrative command (specifically, a SET command). NOTE: this was fixed for Redis 6.2.x and 7.x in 2021. Versions before 6.2 were not intended to have safety guarantees related to this.", "A flaw was found in the Redis package. If a replica sends a SET command to its master during a failover, the master crashes on assertion."], "name": "CVE-2021-31294", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-system-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-api-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "redis:6/redis", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "redis", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Will not fix", "package_name": "redis", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Not affected", "package_name": "openstack-redis-base-container", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:16.1", "fix_state": "Will not fix", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 16.1"}, {"cpe": "cpe:/a:redhat:openstack:17.0", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 17.0"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "openstack-redis-container", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-redis6-redis", "product_name": "Red Hat Software Collections"}], "public_date": "2023-07-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-31294\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-31294\nhttps://github.com/redis/redis/issues/8712"], "threat_severity": "Moderate", "upstream_fix": "redis 6.2.x, redis 7.x"}