CVE-2023-22458
moderate-risk
Published 2023-01-20
Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Do I need to act?
!
56.8% chance of exploitation in next 30 days
EPSS score — higher than 43% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (1)
Affected Vendors
References (8)
Release Notes
https://github.com/redis/redis/releases/tag/6.2.9
Release Notes
https://github.com/redis/redis/releases/tag/7.0.8
Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj
Release Notes
https://github.com/redis/redis/releases/tag/6.2.9
Release Notes
https://github.com/redis/redis/releases/tag/7.0.8
Third Party Advisory
https://github.com/redis/redis/security/advisories/GHSA-r8w2-2m53-gprj
41
/ 100
moderate-risk
Severity
18/34 · Moderate
Exploitability
18/34 · Moderate
Exposure
5/34 · Minimal