OpenCVE

Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redis	Redis

Configuration 1 [-]

OR	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::
	cpe:2.3:a:redis:redis::::::::

No data.

References

Link	Providers
https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7
https://github.com/redis/redis/releases/tag/6.0.17
https://github.com/redis/redis/releases/tag/6.2.9
https://github.com/redis/redis/releases/tag/7.0.8
https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j
https://nvd.nist.gov/vuln/detail/CVE-2022-35977
https://www.cve.org/CVERecord?id=CVE-2022-35977

History

No history.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-01-20T18:19:27.692Z

Updated: 2024-08-03T09:51:59.221Z

Reserved: 2022-07-15T23:52:24.278Z

Link: CVE-2022-35977

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2023-01-20T19:15:14.470

Modified: 2023-02-02T14:28:46.400

Link: CVE-2022-35977

Redhat

Severity : Moderate

Publid Date: 2023-01-17T00:00:00Z

Links: CVE-2022-35977 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2022-35977", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2022-07-15T23:52:24.278Z", "datePublished": "2023-01-20T18:19:27.692Z", "dateUpdated": "2024-08-03T09:51:59.221Z"}, "containers": {"cna": {"title": "Integer overflow in certain command arguments can drive Redis to OOM panic", "problemTypes": [{"descriptions": [{"cweId": "CWE-190", "lang": "en", "description": "CWE-190: Integer Overflow or Wraparound", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j"}, {"name": "https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7", "tags": ["x_refsource_MISC"], "url": "https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7"}, {"name": "https://github.com/redis/redis/releases/tag/6.0.17", "tags": ["x_refsource_MISC"], "url": "https://github.com/redis/redis/releases/tag/6.0.17"}, {"name": "https://github.com/redis/redis/releases/tag/6.2.9", "tags": ["x_refsource_MISC"], "url": "https://github.com/redis/redis/releases/tag/6.2.9"}, {"name": "https://github.com/redis/redis/releases/tag/7.0.8", "tags": ["x_refsource_MISC"], "url": "https://github.com/redis/redis/releases/tag/7.0.8"}], "affected": [{"vendor": "redis", "product": "redis", "versions": [{"version": ">= 7.0, < 7.0.8", "status": "affected"}, {"version": ">= 6.2, < 6.2.9", "status": "affected"}, {"version": "< 6.0.17", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2023-01-20T18:19:27.692Z"}, "descriptions": [{"lang": "en", "value": "Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability."}], "source": {"advisory": "GHSA-mrcw-fhw9-fj8j", "discovery": "UNKNOWN"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T09:51:59.221Z"}, "title": "CVE Program Container", "references": [{"name": "https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j"}, {"name": "https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7"}, {"name": "https://github.com/redis/redis/releases/tag/6.0.17", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redis/redis/releases/tag/6.0.17"}, {"name": "https://github.com/redis/redis/releases/tag/6.2.9", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redis/redis/releases/tag/6.2.9"}, {"name": "https://github.com/redis/redis/releases/tag/7.0.8", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/redis/redis/releases/tag/7.0.8"}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "matchCriteriaId": "686AC0A4-C41D-483F-AB78-F000D3177488", "versionEndExcluding": "6.0.17", "versionStartIncluding": "6.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "matchCriteriaId": "0987D1A6-7DB8-468A-92E2-4C9F4BC41430", "versionEndExcluding": "6.2.9", "versionStartIncluding": "6.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redis:redis:*:*:*:*:*:*:*:*", "matchCriteriaId": "4E8878EC-13C4-4C33-A80E-5F1D4E7A5A19", "versionEndExcluding": "7.0.8", "versionStartIncluding": "7.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability."}, {"lang": "es", "value": "Redis es una base de datos en memoria que persiste en el disco. Los usuarios autenticados que emiten comandos `SETRANGE` y `SORT(_RO)` especialmente manipulados pueden desencadenar un desbordamiento de enteros, lo que hace que Redis intente asignar cantidades imposibles de memoria y aborte con un p\u00e1nico de falta de memoria (OOM). El problema se solucion\u00f3 en las versiones 7.0.8, 6.2.9 y 6.0.17 de Redis. Se recomienda a los usuarios que actualicen. No se conocen soluciones para esta vulnerabilidad."}], "id": "CVE-2022-35977", "lastModified": "2023-02-02T14:28:46.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2023-01-20T19:15:14.470", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/redis/redis/commit/1ec82e6e97e1db06a72ca505f9fbf6b981f31ef7"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/redis/redis/releases/tag/6.0.17"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/redis/redis/releases/tag/6.2.9"}, {"source": "security-advisories@github.com", "tags": ["Release Notes", "Third Party Advisory"], "url": "https://github.com/redis/redis/releases/tag/7.0.8"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-190"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"bugzilla": {"description": "redis: Integer overflow in the Redis SETRANGE and SORT/SORT_RO commands may result with false OOM panic", "id": "2163133", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2163133"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-190", "details": ["Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SETRANGE` and `SORT(_RO)` commands can trigger an integer overflow, resulting with Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic. The problem is fixed in Redis versions 7.0.8, 6.2.9 and 6.0.17. Users are advised to upgrade. There are no known workarounds for this vulnerability.", "A flaw was found in Redis, an in-memory database that persists on disk. This flaw allows authenticated users to issue specially crafted `SETRANGE` and `SORT(_RO)` commands to trigger an integer overflow, resulting in Redis attempting to allocate impossible amounts of memory and abort with an out-of-memory (OOM) panic."], "name": "CVE-2022-35977", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Affected", "package_name": "3scale-amp-backend-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/a:redhat:acm:2", "fix_state": "Not affected", "package_name": "rhacm2/search-api-rhel8", "product_name": "Red Hat Advanced Cluster Management for Kubernetes 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform", "fix_state": "Affected", "package_name": "ansible-tower", "product_name": "Red Hat Ansible Automation Platform 1.2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "redis", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "redis:6/redis", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "redis", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "redis", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Out of support scope", "package_name": "redis", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Will not fix", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "satellite:el8/rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "tfm-rubygem-gitlab-sidekiq-fetcher", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-redis6-redis", "product_name": "Red Hat Software Collections"}], "public_date": "2023-01-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-35977\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-35977\nhttps://github.com/redis/redis/security/advisories/GHSA-mrcw-fhw9-fj8j"], "threat_severity": "Moderate", "upstream_fix": "redis 7.0.8, redis 6.2.9, redis 6.0.17"}