Your submission was sent successfully! Close

CVE-2019-10192

Published: 11 July 2019

A heap-buffer overflow vulnerability was found in the Redis hyperloglog data structure versions 3.x before 3.2.13, 4.x before 4.0.14 and 5.x before 5.0.4. By carefully corrupting a hyperloglog using the SETRANGE command, an attacker could trick Redis interpretation of dense HLL encoding to write up to 3 bytes beyond the end of a heap-allocated buffer.

Priority

Medium

CVSS 3 base score: 7.2

Status

Package Release Status
redis
Launchpad, Ubuntu, Debian
Upstream
Released (5:5.0.4-1)
Ubuntu 18.04 LTS (Bionic Beaver)
Released (5:4.0.9-1ubuntu0.2)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (2:3.0.6-1ubuntu0.4)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable
(code not present)