CVE-2023-22458 MEDIUM

CVE-2023-22458: Integer overflow in multiple Redis commands can lead to denial-of-service

Vendor Redis
Product redis
Weakness CWE-190
Published January 20, 2023
Last update March 10, 2025

CVSS base score

5.5/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

Redis is an in-memory database that persists on disk. Authenticated users can issue a `HRANDFIELD` or `ZRANDMEMBER` command with specially crafted arguments to trigger a denial-of-service by crashing Redis with an assertion failure. This problem affects Redis versions 6.2 or newer up to but not including 6.2.9 as well as versions 7.0 up to but not including 7.0.8. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Key dates

02Disclosure timeline

January 20, 2023 CVE published
March 10, 2025 Record updated