Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-45145

Redis is an in-memory database that persists on disk. On startup, Redis begins listening on a Unix socket before adjusting its permissions to the user-provided configuration. If a permissive umask(2) is used, this creates a race condition that enables, during a short period of time, another process to establish an otherwise unauthorized connection. This problem has existed since Redis 2.6.0-RC1. This issue has been addressed in Redis versions 7.2.2, 7.0.14 and 6.2.14. Users are advised to upgrade. For users unable to upgrade, it is possible to work around the problem by disabling Unix sockets, starting Redis with a restrictive umask, or storing the Unix socket file in a protected directory.

Published

2023-10-18T21:15:09.560

Last Modified

2024-11-21T08:26:26.370

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 3.6 (LOW)

Weaknesses

Type: Secondary
CWE-668
Type: Primary
CWE-668

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redis	redis	< 6.2.14	Yes
Application	redis	redis	< 7.0.14	Yes
Application	redis	redis	< 7.2.2	Yes
Application	redis	redis	2.6.0	Yes
Operating System	fedoraproject	fedora	37	Yes
Operating System	fedoraproject	fedora	38	Yes
Operating System	fedoraproject	fedora	39	Yes
Operating System	debian	debian_linux	10.0	Yes

References

https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1 Patch ([email protected])
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx Vendor Advisory ([email protected])
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/ Mailing List, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/[email protected]/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/ Mailing List ([email protected])
https://security.netapp.com/advisory/ntap-20231116-0014/ Third Party Advisory ([email protected])
https://github.com/redis/redis/commit/03345ddc7faf7af079485f2cbe5d17a1611cbce1 Patch (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/redis/redis/security/advisories/GHSA-ghmp-889m-7cvx Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2023/10/msg00032.html Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/464JPNBWE433ZGYXO3KN72VR3KJPWHAW/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/BNEK2K4IE7MPKRD6H36JXZMJKYS6I5GQ/ Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/[email protected]/message/DZMGTTV5XM4LA66FSIJSETNBBRRPJYOQ/ Mailing List (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20231116-0014/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)