Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-25155

Published: 2 March 2023

Redis is an in-memory database that persists on disk. Authenticated users issuing specially crafted `SRANDMEMBER`, `ZRANDMEMBER`, and `HRANDFIELD` commands can trigger an integer overflow, resulting in a runtime assertion and termination of the Redis server process. This problem affects all Redis versions. Patches were released in Redis version(s) 6.0.18, 6.2.11 and 7.0.9.

Priority

Medium

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
redis
Launchpad, Ubuntu, Debian
upstream
Released (6.0.18, 6.2.11, 7.0.9)
kinetic Ignored
(end of life, was needs-triage)
lunar Ignored
(end of life, was needs-triage)
mantic Needs triage

bionic
Released (5:4.0.9-1ubuntu0.2+esm4)
Available with Ubuntu Pro
focal
Released (5:5.0.7-2ubuntu0.1+esm2)
Available with Ubuntu Pro
jammy
Released (5:6.0.16-1ubuntu1+esm1)
Available with Ubuntu Pro
trusty
Released (2:2.8.4-2ubuntu0.2+esm3)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
xenial
Released (2:3.0.6-1ubuntu0.4+esm2)
Available with Ubuntu Pro
Patches:
upstream: https://github.com/redis/redis/commit/2a2a582e7cd99ba3b531336b8bd41df2b566e619

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact None
Availability impact High
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H