CVE-2018-11219
Published: 17 June 2018
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2, leading to a failure of bounds checking.
From the Ubuntu Security Team
It was discovered that Redis incorrectly handled integers. An attacker could possibly use this issue to cause a denial of service.
Priority
Severity score breakdown
Parameter | Value |
---|---|
Base score | 9.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://github.com/antirez/redis/issues/5017
- http://antirez.com/news/119
- https://github.com/antirez/redis/commit/1eb08bcd4634ae42ec45e8284923ac048beaa4c3
- https://github.com/antirez/redis/commit/e89086e09a38cc6713bcd4b9c29abf92cf393936
- https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES
- https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES
- https://www.debian.org/security/2018/dsa-4230
- https://www.cve.org/CVERecord?id=CVE-2018-11219
- NVD
- Launchpad
- Debian