CVE-2024-31228

NameCVE-2024-31228
DescriptionRedis is an open source, in-memory database that persists on disk. Authenticated users can trigger a denial-of-service by using specially crafted, long string match patterns on supported commands such as `KEYS`, `SCAN`, `PSUBSCRIBE`, `FUNCTION LIST`, `COMMAND LIST` and ACL definitions. Matching of extremely long patterns may result in unbounded recursion, leading to stack overflow and process crash. This problem has been fixed in Redis versions 6.2.16, 7.2.6, and 7.4.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1084805

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
redict (PTS)sid, trixie7.3.1+ds-1fixed
redis (PTS)bullseye5:6.0.16-1+deb11u2vulnerable
bullseye (security)5:6.0.16-1+deb11u3vulnerable
bookworm, bookworm (security)5:7.0.15-1~deb12u1vulnerable
sid, trixie5:7.0.15-2fixed
valkey (PTS)sid, trixie8.0.1+dfsg1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
redictsource(unstable)7.3.1+ds-1
redissource(unstable)5:7.0.15-21084805
valkeysource(unstable)8.0.1+dfsg1-1

Notes

https://github.com/redis/redis/security/advisories/GHSA-66gq-c942-6976
https://github.com/redis/redis/commit/c8649f8e852d1dc388b5446e003bb0eefa33d61f (7.2.6)
Fixed by: https://github.com/redis/redis/commit/9317bf64659b33166a943ec03d5d9b954e86afb0 (6.2)
https://github.com/valkey-io/valkey/pull/1114
https://github.com/valkey-io/valkey/commit/4fbab5740bfef66918d6c2950dd2b3b4e07815a2 (8.0.1)

Search for package or bug name: Reporting problems